HAND 
HELD DESKTOP SERVER MULTIMEDIA DO-IT-YOURSELF AMD AM2~ 


The Viability and Liability of 


Punching Holes Through 


Since 1994: The Origi i 
: iginal Magazin j . 
i oe ee. of the Linux Community 


~ EROM ABERDEEN TO NOKIA TO 
a | DOING-IT-YOURSELF, WE HAVE 
THE ULTIMATE LINEUP FOR YOU 


MAT 


OXE 


Homebrew your own Ultimate Linux Box 

The Ultimate Multimedia Box under $1 million 
Aberdeen delivers big on bang for the buck servers 
The Nokia 770 is still the one 

The AMD socket AM2 foundation for the future 
Puget for a sound decision on the desktop 


[in —— 


Nun PEE AIONINND any 


VT inutile. joe 
j WEE - 
T TTT - 
; — | 
pa 7 
Lusenonene 


ee High-Performance and 


Eapnnnenneet | 


Oe ee A 5 | Enterprise Computing 
a) g | Under Your Control 


Industry Leading 2P and 4P x86 Computing 
Innovative server technology with outstanding performance and unrivaled memory 
scalability to accelerate compute and memory intensive applications. 


2-way XXtremeServer™ 4-way XXtremeServer™ 4-way XXtremeWorkstation™ 
up to 64GB of memory up to 128GB of memory up to 128GB of memory 


1U XtremeServer™ 3U XtremeServer™ XtremeWorkstation™ 
CC  — ee eee 
¢ Dual-Core AMD Opteron™ processors * Dual-Core AMD Opteron™ processors ¢ Dual-Core AMD Opteron™ processors 
¢ Up to 64GB of DDR2 533/667 memory ¢ Up to 128GB of DDR2 533/667 memory ¢ Up to 128GB of DDR2 533/667 memory 
¢ Up to 1.0TB SATA or 292GB SAS ¢ Up to 3.0TB SATA or 876GB SAS ¢ Up to 2.0TB SATA or 584GB SAS 
¢ 1 PCI-X and 1 PCI-Express x16 ¢ 3 PCI-X and 2 PCI Express x16 ° 3 PCI-X and 2 PCI Express x16 
¢ Dual-port Gigabit NICs ¢ Dual-port Gigabit NICs ¢ Two NVIDIA 4500/5500 graphics cards 
¢ Hot-swappable drives ¢ Redundant power supplies and fans ¢ Redundant power supplies and fans 
¢ ServerDome Management — IPMI 2.0 ° Hot-swappable drives ¢ Hot-swappable drives 
* Windows® or Linux OS ¢ ServerDome Management — IPMI 2.0 * Windows® or Linux OS 


¢ Windows® or Linux OS 


Get the facts... 
Performance Analysis and Value Proposition White Paper 
Go to http://www.appro.com 


AMD Opteron™ Processors: - AMD 64 Dual-Core Technology improve system throughput for faster networking connectivity 
- Best performance per-watt, helping to reduce electricity costs while maximizing IT budget dollars 


For more information, please visit www.appro.com 


A or call Appro Sales at 800.927.5464, 408.941.8100. 


HPC Cluster Solutions 


The Power of Being There: 


Times Cwo. 


So _ 


Discover how the combined power of Avocent and Cyclades IT infrastructure An Avocent.Company 
management solutions can take you and your data center to the next level. KVM, 
serial and power — all over IP. Plus, Intelligent Platform Management Interface 
(IPMI) and embedded KVM. The Power of Being There® Times two. 


Visit www.cyclades.com/lj 


CONTENTS iste va 


ULTIMATE «<< 
LINUX BOXES 


FEATURES 


How to start with the ultimate motherboard and build yourself your 
own Ultimate Desktop. 
Nicholas Petreley 


The Ultimate Desktop doesn't come cheap, but you'll get what you pay for. 
Dee-Ann LeBlanc 


Want a quad-processor server with performance and reliability for an 
amazingly reasonable price? 
Nicholas Petreley 


2 | august 2006 www.linuxjournal.com 


How do you create an Ultimate Linux Multimedia Center for less 
than a million dollars? 
Jon “maddog” Hall and Clay Claiborne 


Nothing beats the flexibility and expandability of this Linux handheld. 
Doc Searls and Jim Thompson 


The new AMD socket AM2 processor may not break speed records 
today, but it is likely to be the foundation for the future. 
Nicholas Petreley 


The competition doesn't 
stand a chance. 


If you base deployment decisions on performance and price, 
Coyote Point's for you. We’ve cornered that market. 


To prove it we asked The Tolly Group to evaluate our E350si application 
traffic manager against the competition. The results soeak for themselves. 


Throughput? Almost 40% more than others in our space. Cost of transactions 
per second? Up to four times less. Connection rate? In some cases, 
one-sixth the cost. One-sixth! And we’re told Coyote Point is the #1 choice 
for today’s open source networks. 


But don’t just take our word for it. Get the facts. Call 1.877.367.2696 
or write info@coyotepoint.com for your free copy of the full Tolly Report. 


© 2006 Coyote Point Systems, Inc. All Rights Reserved. 


CONTENTS issteva 


COLUMNS IN EVERY ISSUE 


Next Month 


22 REUVEN LERNER’S 10 LETTERS 
AT THE FORGE 14 UPFRONT 
eBay Web Services 46 NEW PRODUCTS Hs 
81 ADVERTISERS INDEX HIGH-PERFORMANCE 
28 MARCEL GAGNE'S COMPUTING 
COOKING WITH LINUX. IN DEPTH The term “high-performance cluster” 
Searching for the Ultimate elicits both a sense of excitement and a 
Desktop Enhancements 80 NETDVD: BUILDING feeling of intimidation. The latter need 
A NETWORK-ATTACHED not be true, because clustering and 
PERIPHERAL WITH LINUX high-performance computing isn’t really 


rocket science, as you'll see from our 


crucial aa why equip every PC with storage ang DVD articles next month. Whether you're 
ere writers when you can create an all-purpose clustering for redundancy, availability or 
rietiats is binary fear network attached peripheral? to create a compute-intensive graphical 


representation of quantum dynamic 
collision of atoms, you'll find Linux to 
be a natural. We'll cover DRDB, 
heartbeat, the multiplatform 
distributed computing Condor 

and even MILLE-XTERM for scalable 
X-terminal deployment. 


Bookmarks Menu Bradford C. Smith 


34 DAVE TAYLOR’S 
WORK THE SHELL 
End Game 


In addition, our columnists put priori- 
ties in perspective. Does it make sense 
to obsess over perfection when using 
quick-and-dirty shell scripting? And, 
when it comes to security, worrying is 
good if you're worrying about the 
right things. We'll tell you what some 
of those “right things” are. 


36 MICK BAUER’S 
PARANOID PENGUIN 
An Introduction to Novell AppArmor 


42 JON “MADDOG” HALL’S 
BEACHHEAD 
No Shoes, No Shirt, No Problem! 


86 DEVELOPING P2P ONE tt ced 
PROTOCOLS ACROSS NAT ¢ The Viablility and Liability of Linux 


Punch some holes in your network in order pnuMtoblleimnanes: Re ae 


44 DOC SEARLS’ <a wake POP wark bahind 4 frawall, ¢ Punching Holes through NAT P2P 


LINUX FOR SUITS se Problems, p. 86 

Girish Venkatachalam . . 
Progress Report toward ¢ Homebrew your own Ultimate Linux 
Independent Identity 90 MOBILE PHONES: THE Box, p. 57 

EMBEDDED LINUX CHALLENGE ¢ The Ultimate Multimedia Box under 
96 NICHOLAS PETRELEY’S Linux can be the ultimate embedded = mullan p66 
/NAR/OPINION operating system if you know the secrets. eAbemben deliver: Big on bangitar 


the buck servers, p. 64 

¢ The Nokia 770 is still the one, p. 70 

¢ The AMD socket AM2 foundation for 
the future, p. 72 


Postscripts on the Ultimate Linux Boxes Bill Weinberg 


USPS LINUX JOURNAL (ISSN 1075-3583) is published monthly by SSC Media Corp., 2825 NW Market Street #208, Seattle, WA 98107. 


Periodicals postage paid at Seattle, Washington and at additional mailing offices. Cover price is $5 US. Subscription rate is $25/year in the ¢ Puget for a sound decision on the 
United States, $32 in Canada and Mexico, $62 elsewhere. POSTMASTER: Please send address changes to Linux Journal, PO Box 980985, desk 3 
Houston, TX 77253-3587. Subscriptions start with the next issue. esktop, p. 5: 


4 | august 2006 www.linuxjournal.com 


Processor Expansion board for $4881 

- Up to four AMD Opteron’ processor MP 
166 DIMM sockets 

+ 12"x13" dimension with special architecture 

* Two Hyper TransporlTM vi 0 Connectors 


Thunder $4881 


8-Processor AMD Opteron™ Motherboard 

+ Up to eight or four AMD Opteron™ processor 

- Upto of Registered (ECC) DDR400/333 

- (4)SATA support RAID 0,1, 0+1 

+ Broadcom® BCM5704C Dual-Channel GbE controller 
+ IEEE 1394a (FireWire) ports 

- ATI’ RAGE™ XL with 8MB 


TYAN COMPUTER CORP. 


Tyan Computer USA 


3286 Laurelview Court 

Fremont, CA 94538 USA 

Tel: +1-510-651-8868 Fax: +1-510-651-7688 
Pre-Sales Tel; +1-510-651-8868 x5120 
Email: marketing@tyan.com 


~_ 


For more information about this and other Tyan products, 


i Pa ka Fa 


i 
Ma 
- 


Transport VX50 B4881 


8-Processor AMD Opteron™ 5U Server 


+ 4/8-Processor HPC Computing Platform 
+ Support up to eight (8) AMD Opterton™ &xx series 
- 4-P model (B4881-4P) 


Sixteen (16) DIMMs,supporting max. 
64GB registered, ECC DDR400/333 memory 


- 8-P model (B4881-8P) 


Thirty-two (32) DIMMs, supporting max 
128GB registered, ECC DDR400/333 memory 


+ Two (2) gigabit Ethernet LANs, 


Broadcom® BCM5704 controller 


- Three (3 )64-bit, 133/100/66MHz PCI-X slots , 


Two (2) PCI-E slots (1*x16 + 1*x4 signal) 
Total 5 usable PCI expansion slots 


please contact Tyan Pre-Sales at (510) 651-8868 x5120, 
or contact your local Tyan system Integrator/reseller. 


www.tyan.com 


Switch to JTL and get 2 months* 
FREE WEB HOSTING 


* 98.7% Customer Statisfaction rating 

* Shared Linux Web Hosting plans from $9.95 
* Managed Dedicated servers from $69/mo 

* Colocation from $35/mo 

* MySQL and PostgreSQL database support 

* Virus and Spam Protection 


web hosting specialist 


Real People Real Support” 
since 1998 


www.jtli.net/Ij 


1-877-765-2300 


*Olfes is 2 months bee or $50, whichever is less, depending on the hoving plan chosett 


JOURNAL 


Editor in Chief 
Nick Petreley, ljeditor@ssc.com 


Executive Editor Jill Franklin 
jill@ssc.com 
Senior Editor Doc Searls 
doc@ssc.com 
Art Director — Garrick Antikajian 
garrick@ssc.com 
Products Editor James Gray 
newproducts@ssc.com 
Editor Emeritus — Don Marti 
dmarti@ssc.com 
Technical Editor = Michael Baxter 
mab@cruzio.com 
Senior Columnist — Reuven Lerner 
reuven@lerner.co.il 
Chef Francais — Marcel Gagné 
mggagne@salmar.com 
Security Editor — Mick Bauer 
mick@visi.com 


Contributing Editors 


David A. Bandel ¢ Greg Kroah-Hartman ¢ Ibrahim Haddad ¢ Robert Love ¢ Zack Brown ¢ Dave 


Phillips * Marco Fioretti ¢ Ludovic Marcotte ¢ Paul Barry ¢ Paul McKenney 


Proofreader = Geri Gale 


VP of Sales and Marketing —= Carlie Fairchild 
carlie@ssc.com 


Marketing Manager Rebecca Cassity 
rebecca@ssc.com 
International Market Analyst — James Gray 
jgray@ssc.com 
Sales Coordinator — Lana Newlander 
ads@ssc.com 


Regional Advertising Sales 
NORTHERN USA: Joseph Krack, +1 866-423-7722 (toll-free) 
EASTERN USA: Martin Seto, +1 416-907-6562 
SOUTHERN USA: Laura Whiteman, +1 206-782-7733 x119 
INTERNATIONAL: Annie Tiemann, +1 866-965-6646 (toll-free) 


Advertising Inquiries ads@ssc.com 


Publisher — Phil Hughes 
phil@ssc.com 


Accountant = Candy Beauchamp 
acct@ssc.com 


Linux Journal is published by, and is a registered trade name of, SSC Media Corp. 


2825 NW Market Street #208, Seattle, WA 98107 USA 


Editorial Advisory Board 
Daniel Frye, Director, IBM Linux Technology Center 
Jon “maddog” Hall, President, Linux International 
Lawrence Lessig, Professor of Law, Stanford University 


Ransom Love, Director of Strategic Relationships, Family and Church History Department, 


Church of Jesus Christ of Latter-day Saints 
Sam Ockman, CEO, Penguin Computing 
Bruce Perens 
Bdale Garbee, Linux CTO, HP 
Danese Cooper, Open Source Diva, Intel Corporation 


Subscriptions 
E-MAIL: subs@ssc.com 
URL: www.linuxjournal.com 
PHONE: +1 713-589-3503 
FAX: +1 713-589-2677 
TOLL-FREE: 1-888-66-LINUX 
MAIL: PO Box 980985, Houston, TX 77253-3587 USA 
Please allow 4-6 weeks for processing address changes and orders 
PRINTED IN USA 


LINUX is a registered trademark of Linus Torvalds. 


The Dude network monitor 
software will dramatically 
improve the way you manage 
your network environment. 

It will scan devices within 
specified subnets, draw and 
layout a map of your networks, 
monitor services of your devices, 
and alert you in case a service 
has problems. And it’s free. 


www.mikrotik.com/dude/ 


- Free of charge 

- Network discovery and layout 

- Discovers all kinds of devices 

- Add new custom devices 

- Device, Link monitoring, alerts 

- SVG icons for devices 

- Draw your own maps 

- SNMP. ICMP, DNS and TCP monitor 
- Remote Dude server and local client 
- Link usage monitoring and graphs 
- Runs in Linux Wine environment 


co i ts 
se AY 
= b A 
Sa B 

H E y) 

. ‘a 

x i U 
— aa) a 
FORUM lent tee 
“ny : 


mn 
1 


aes 
: * 


ee 


ee0a8 
( foo veee 
cms 


more work on fewer siidteme choose 
the Dual-Core Intel® Xeon® 
Processor in your NEXXUS 4000® 
Personal Cluster. 


This Dual-Core Intel® Xeon® Processor 
based Personal Cluster server is the ideal 
platform for clients who have technical or 
mission-critical applications that require 
high processor count and fast interconnect. 
Based on a desk-side design, the NEXXUS 
4000® is an alternative to traditional 
datacenter centric solution and the perfect 
system for IT or Research departments 
looking to leverage the benefits of Intel® 
standardization. 


Visit us For all your computer needs 


CIARA-TECH.COM 


Give us a Call 


IEGOOR GI =i 225) 


a eae _—— 


~ a 


TES 


PERSONAL CLUSTER 
339S5o 
GORE 


8 Dual-Core Intel® Xeon® Processors 5148 Additional 32GB Memory $6,599 
32GB FBD ECC/Reg DDR2 533MHz Additional 1TB of Storage $1,099 
1TB (4 x 250GB) of Storage InfiniBand Interconnect $3,455 
Built-in Gigabit/KVM/USB Switch LS Ee eee a ee 


® 150 Gigaflops' computing power. 
Up to 128GB? FBD DDR2 553/667MHz. 


Built in 8 or 16 Port Gigabit Switch. 
(Optional 8 Port InfiniBand Switch) 


Up to 8 Serial ATAII HDD. 
Integrated KVM/USB Switch. 
Plugs into one single 110/220V outlet. 


Convenient desk-side form factor. 


Celeron, Caleron inside, Centrino, Centrino Logo, Core inside, intel, intel Logo, intel Core, intel inside, Intel inside Logo, Intel SpeedStep, intel Viv, Raniurn, ftaniurn inside, Pentium, . A => 
Pontiumn inside, Xeon and Xeon Inside are traciomnarks or registored trademarks of inte! npn Aecdae ei rlembelndasian bveartdinlatcicthsonleontcl (1) Inportart information. inside 
All prices, ons and promotional offers are subject to change without notice. Ciara cannot be responsible for typography errors, errors, All pricing 

ns dome Shipping and applicable tases are not included, (1) Based on peak performance with Dual-Core int 10X® Xeon® Processor 5148. aalablo With 4G8 FEDMOS 


KONQUEROR  SSHFS | TRIPWIRE | CAMBAS 


TRIP UP INTRUDERS 


JOURNAL 


letters 


In Defense of GNOME 

| think LJ and even Linus couldn't be more off the 
mark with their GNOME comments. Choice is great, 
but when there are too many choices, you just don’t 
really know what to do. I've always found that KDE 
was far too busy for me to work with, and GNOME 

< v.2 was like that too (I remember the days when 
GNOME was paired up with Enlightenment). I’d like to 
work, not configure. Coincidentally, when | asked my 
CompSci friends to pit KDE vs. GNOME, none of them 
came to the defense of KDE. And, lots who replied are 
friends whose opinions | respect, and a good handful 
of them, gasp, use Apple laptops with OS X. 


Benton Lam 


An Easier Way to Keep 

Linux in Suspense 

| enjoyed the May 2006 issue, especially all the articles 
on virtual machines. | have a lot of experience dual-boot- 
ing various Windows and Linux OSes. Recently, | have 
been playing around with VMware on Linux and 
Windows, and | think | have an interesting killer app for 
running a Windows host with a Linux guest: Suspend. | 
never have been able to get Linux to do a proper soft- 
ware suspend to RAM except on IBM T and X laptops. 
So running XP on the system lets me play 3-D games 
and standby and resume very reliably. | can click on 
VMware and run all my favorite Linux tools and toys 
with ease. | also can save lots of money in electricity and 
still have my computer respond in seconds, not minutes. 


Stuart Boreen 


Gentoo Emerges Victorious on AMD64. 
n etc/rant June 2006], the complaint seems to be not 
so much about Linux's poor AMD64 support as much as 
it is about Debian and Ubuntu-based distros’ AMD64 
support. | bought an AMD64 system about a year ago, 
installed Gentoo (because why use 32-bit packages if 
you don’t have to), and it worked (and still works) flaw- 
lessly. The Gentoo/AMD64 devs did a wonderful job of 
making sure the very few packages that don’t work with 
AMD64 completely have another method of installing. 
Need Flash? emerge (install) mozilla-firefox-bin. 
Java nsplugin comes with emul-x86-java. Need 
win32codecs? emerge mplayer-bin. Everything 
else can be emerged completely as normal. 


John 


MS Office Compatibility Is a Must 
To “da editor in chief": | wanted to write a few 
times, since it’s great to see you at Linux Journal. | 
think the position is a perfect fit. | followed you 
through the years at other rags and like your style 
very much. | hated to see you go, but everyone 
moves on hopefully to bigger and better things. 


First thing | want to say is the column name is 
also perfect. 
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Second, SUSE does ROCK indeed. I’ve been using it 
since around version 5, and I’ve been more or less 
happy, but 10 really ROCKS. | have both an i86 and 
AMD64 machines running 10—both installed the 
correct version flawlessly. That's what | call smooth. 


I'm sorry | must disagree with you on your first article 
[February 2006], which basically stated that Linux 
office suites should not look like Microsoft products or 
mimic them in any way. Statistics report that Microsoft 
Office has more than 90% of the office market—it is 
the product to beat. My last gig was at a very large 
Microsoft shop with 6,000 people in the US. Now, 
that’s a lot of licenses. Because of the compatibility of 
products like OpenOffice.org, | was able to load my 
laptop with SUSE and use OpenOffice.org to edit doc- 
uments created with Word. | also was able to send 
these docs back and forth with changes, and nobody 
was the wiser that it was done on a Linux box with 
OOo. If the compatibility of OOo with Office wasn’t 
there, | would still have XP on my laptop. | was able to 
use the company LAN, WAN, VPN and so on with no 
problems. The problems | did have were with Excel 
and PowerPoint, because these weren't so compatible, 
and/or my expertise with them was not so good. I’m a 
programmer, not a CPA or salesman. The bottom line 
is, if |can use OOo as a replacement for Office, | can 
run Linux. If not, | have to run Windows. 


Maybe in ten years, when Open Document will be the 
standard file format, we can have different products 
with a different look and feel, because they will all write 
the OD file format. At the moment, we have to beat 
the leader at its game, which in both the enterprise and 
desktop areas is really the only game, but Linux is 
becoming a major player and open-source products like 
OOo are fast becoming a “drop-in” replacement for 
Microsoft. We can’t let Linux fall to the wayside just like 
the Mac did, because it wanted to be different and not 
have anything to do with MS. Microsoft helped Mac be 
its own entity and be different, and basically made 
Apple pie out of them. Now only the crust is left. No 
threats from any Mac area of expertise. 


Thanks and good luck. | might not agree with every- 
thing you say, but | definitely will be reading your 
page every month. 


Jeffrey Lapchinsky 


What Good Do Rants Do? 

How is ranting about the inadequacies of Fedora 5 
accomplishing anything good [June 2006]? Complaining 
about disk labels? Have you tried doing iscsi without 
labels? Let me know how long /dew/sda remains the 
same disk after reboot. (LVM disk IDs not withstanding.) 


Tu 


| hope ranting about Fedora’s current method of 
using disk labels inspires Fedora to implement them 
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better. As | suggested, all they have to do to fix 
the problem | encountered is create better labels, 
such as FC5ROOT instead of /—Ed. 


Has Fedora 5 Left Nick Breathless? 
A good rant this month about Fedora [June 
2006]. | was nodding my head as you trashed the 
default partition labeling and dissed the glacial- 
ness of Yum. | occasionally have to use Fedora at 
work—to prevent myself from using Dan‘s Boot 
and Nuke to solve all of Fedora’s problems at 
once, | just keep muttering to myself, “at least it's 
not Windows, at least it’s not Windows...” 
Finally, apart from a small jab at Debian about 
licensing, you haven't had a go at Debian or 
Ubuntu for ages—have you run out of puff? 


Sonia Hamilton 


Fusing SSHFS with Your System 

| just received a copy of the June 2006 Linux 
Journal, and as | was browsing through, | saw 
the article on SSHFS. | finished reading the arti- 
cle, and | thought, “WHOA! | could so use this!” 
So | rushed home to install. 


| am using Debian (sarge), so | opened up synaptic, 
searched for sshfs and there it was! | installed it, 
and followed along with the article about how to 
configure it. | set up the usermod, and my empty 
directory and then...failure. Bleck: sshfs Me@ip: 
/remotefolder "fusermount: fuse device 
not found, try ‘modprobe fuse' first 
FATAL: Module fuse not found. 


| looked around and found that | needed to create 
a module for the kernel. Again using synaptic, | 
downloaded module-assistant and fuse source. | 
already had my kernel-headers installed, but a few 
of the other systems did not. That package is 
required for the installed kernel. This command 
seemed to work well (take note of the quotes): 


apt-get install kernel-headers-*uname -r° 
Once they were installed, as root | ran: 
module-assistant build fuse 

Followed by: 

m-a install fuse-source 

modprobe fuse 

At this point, you must reset your login. Either 
reset GNOME/KDE, or if you did this in another 
terminal session, log out and back in. 

Now, | reran as my user: sshfs Me@ip: 
/remotefolder, entered my password, and it 
worked! 

From this point on, | had no other problems with 
following the article. Thank you so much for 


pointing out this gem. My household runs Debian 
Linux and telling my wife and guests how to use 
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SSH all the time to transfer files can be bother- 
some at times. Now there is just a folder with the 
different links they can click on! Thanks L! 


Chris Stackpole 


Tail between Its Legs 

| recently upgraded my distro, and all these little 
scripts | have all of a sudden, didn’t seem to work. 
Why? Because the utilities head and tail have now 
decided that tail -2 is no longer valid syntax. 
You see, if | had half a brain | should know that 
the “proper” syntax is tail -n 2 or tail 
--lines=2. They really should have pushed harder 
for tail --may-I-please-see-the-last 2 
--lines. Just because -# numeric arguments 
[worked] for more than 20 years is no reason | 
should have an expectation for it to continue. 
After all, -n 2 is “standard”, you know, and | 
should just suck it up and look around on every 
single machine | upgrade and make sure | haven't 
committed the mortal sin of using deprecated syn- 
tax. My clients just love paying me to do that. 


Keith Smith 


Great rant! Want my job?—Ed. 


Deconstructing 

Constructive Criticism 

| have been reading your etc/rant column since you 
began writing for U, and some points you bring 
up are valid and need to be said. | would like to 
provide suggestions to make your comments more 
fruitful as well as acceptable to others. 


From a reader's perspective, your style seems to 
be to offer criticism in an attempt to create posi- 
tive results. That criticism, however, is destruc- 
tive—not constructive. Constructive criticism 
encourages improvement. Destructive criticism 
destroys what we have already built, and thus 
your comments are seen as a digression from the 
cause of Linux. Let's deal a better hand of cards. 


Valden 


Thanks for your comments. I’ve changed the 
name of the column so that | won't have to 
rant every month, but | wanted to respond to 
your concerns. | abhor character assassination, 
the last resort of someone with no substantial 
defense, so it is never my intention to engage 
in character assassination. So my point regard- 
ing Fedora 5 wasn't to call the Fedora develop- 
ers boneheads. My point was that Fedora’s 
approach to partition labels is bonehead. As | 
pointed out in the column, Fedora could use 
labels that aren't likely to conflict with other 
distributions, such as FC5ROOT instead of /. 
This is what | consider constructive criticism, 
even if it is wrapped in a politically incorrect 
tone, which is simply my rant style. 


In short, | think where we disagree is on what 
constitutes constructive criticism. | think you're 
looking for constructive-sounding criticism.—Ed. 
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diff -u 


WHAT’S NEW 
IN KERNEL 
DEVELOPMENT 


Work continues on 
the git revision 
control system. 
Recently, Linus 
Torvalds eliminated 
the dependency on 
an external diff pro- 
gram, resulting in execution times 
a sixth of what they had been 
under Linux and a fiftieth of what 
they had been under Cygwin. At 
the same time, other folks are 
adding colorization support to 
git’s diff output. In other git news, 
Petr Baudis, the Cogito maintainer, 
has been working on rename 
support. One of git’s innovations is 
that renames are detected at read 
time, when someone wants to track 
the history of a file, rather than at 
write time, when the file actually 
changes. But, implementing this 
read-time detection is a challenge. 
Petr and a variety of others, includ- 
ing Linus, have taken it up with 
great fervor recently. 

Several bits of kernel infra- 
structure are on the chopping 
block, notably DevFS. The option 
to use DevFS has been disabled 
since 2.6.13, three releases ago, 
and Greg Kroah-Hartman has 
posted patches to remove the 
DevFS code from each subsequent 
kernel release. The blkmtd driver, 
allowing memory devices to 
appear as block devices, is on the 
fast track out of the kernel. The 
block2mtd driver does the same 
thing and hasn't seen a bug report 
in more than a year, and in any 
case, blkmtd conflicts with 
H. Peter Anvin’s klibe project, 
which is vying for kernel inclu- 
sion. Andrew Morton was more 
than happy to push the blkmtd 
removal patch over to Linus, with- 
out requiring any fermentation 
time in the -mm tree. 

As mentioned above, H. Peter 
Anvin is pushing for klibc inclu- 
sion into the kernel. Klibc is a 
small, in-kernel libc, that allows 
certain kernel projects to exist in 
user space, safe in the assumption 
that the interfaces they need will 
be available when they need them. 
In this way, Linux continues to 


become more like a microkernel 
over time, without making the 
kind of speed sacrifices that have 
marginalized microkernels over the 
years. Linus expressed his desire to 
see the kernel gradually become 
more modular in this way several 
years ago, and rather than a mas- 
sive sudden effort to accomplish it, 
there seems to be a gentle ongoing 
assumption that if code can be 
moved out of the kernel, this is a 
good thing. Apparently, klibc is 
one of the good-thing enablers. 

Documentation is a rare and 
precious stone in the Open Source 
world. Recently, Chuck Ebbert 
put together some additions for 
the ptrace(2) man page that 
he’d gathered together from the 
linux-kernel mailing list, the 
source code and his own experi- 
mentation. Various folks, includ- 
ing Daniel Jacobowitz who had 
authored much of the functionality 
Chuck had documented, were 
happy to see this work, and Daniel 
offered a bunch of suggestions 
for improvement. 

The 2.4 kernel tree continues 
to rest in “deep maintenance 
mode” as Will Tarreau puts it. 
Herbert Rosmanith had asked if 
TPM would be back-ported from 
2.6, but it looks like that almost 
certainly will not happen. Willy has 
been maintaining a group of 2.4 
patches gathered from various 
places, not necessarily in the 
hopes of seeing Marcelo Tosatti 
accept them into the official 2.4 
tree, but more to enable 2.4 users 
to keep up to date on various 


drivers, without having to jump all 
the way into a 2.6-based system. 
With 2.4 apparently stationary at 
last, this puts more pressure on the 
2.6 developers to find a way to 
bring stability to the kernel. 
Recently, Linus Torvalds began 
insisting that new 2.6 code would 
be accepted only for two weeks 
after an official release. After that, 
only bug fixes would be taken. 
Some developers chafe at this 
restriction, but there does not 
seem to be any huge outcry against 
it. However, although this means 
that most 2.6 kernel releases will 
tend to be fairly stable from an 
up-time perspective, it does nothing 
to stabilize the behaviors and 
interfaces between kernel releases. 
For that kind of stability, someone 
will need to have a new idea. 

Ingo Molnar and others 
have implemented “lightweight 
user-space priority inheritance” 
support for futexes, which they 
say represents a significant mile- 
stone toward providing true 
real-time support for user-space 
applications. The issue is very 
controversial, partly because—as 
Ingo said in his announcement— 
an alternative set of priority 
inheritance code had been 
“circling Linux for years” that had 
bad overhead problems, buggy 
implementations and was just a 
mess. Real-time support in Linux 
is more widely controversial as 
well, because of the complexity it 
tends to add to the kernel. 


—Zack Brown 


Picasa 


on Linux 


In May 2006, Linux Journal 
was the first publication to 
learn that Google planned to 
introduce a Linux version of 
Picasa, the company’s digital 
photo management and 
sharing software. This is the 
first time Google has chosen 
Linux as the first additional 
platform for a formerly 
Windows-only product. In 
the past, Google has 
expanded first on Macintosh. 
Here's hoping that Google 
Earth and other originally 
Windows-only Google prod- 
ucts will migrate to Linux as 
well. Google runs its massive 
search engine on Linux 
servers. Although Google 
won't disclose how many 
servers they run, the compa- 
ny is widely regarded as the 
largest deployer of Linux in 
the world. 

Picasa began as the prod- 
uct of a Pasadena, California 
company by the same name. 
Picasa was founded in 
October 2001. Google bought 
the company in May 2004. 


—Doc Searls 


USER FRIENDLY by J.D. "Iliad" Frazer 


TO BE BEHOLDINK! HAVE 
BUILT THE ULTIMATE LINUX 
BOX WITH OWN HANDS! 


COPYEIDETNE 2006 J.D, “EEingd™ Femmes MTP:) /WWW.USERFETENCL D6) 
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LJ Index, August 2006 


1. Percentage of Global 2000 companies that will have formal open-source management strategies by 2010: 90 


2. Percentage of companies that have deployed or are considering deploying open-source applications: 81 


3. Percentage of companies that say open source has helped lower IT costs: 67 


4. Estimated dollar savings at Backcountry.com, thanks to open-source order management: 150,000 
5. Percentage cost of open-source Zimbra e-mail to Backcountry.com vs. proprietary alternatives: 10 
6. Thousands of pages in Backcountry.com’s internal wiki “knowledge management system”: 6.2 

7. Thousands of unique visitors per week to Backcountry.com, as of April 2006: 100 

8. Thousands of SKUs (stock-keeping units) at Backcountry.com: 80 

9. Number of new daily SKUs at Backcountry’s Steepandcheap.com subsidiary: 1 

10. Top daily dollar sales so far (as of April 2006) at Steepandcheap.com: 26,000 

11. Millions of dollars taken by Backcountry.com in 2004 sales: 27 

12. Millions of dollars taken by Backcountry.com in 2005 sales: 52 

13. Number of persons employed by Backcountry.com: 260 

14. Percentage of Backcountry.com employees doing in-house open-source programming: 10 


15. Millions paid by Red Hat for JBoss: 350 


16. Number of mentoring organizations approved for Google’s Summer of Code: 102 
17. Billions of dollars Intel plans to spend marketing inexpensive computers in emerging markets: 1 
18. Sites surveyed by Netcraft in May 2006: 81,565,877 


19. Millions of new hostnames on the Net by May 2006: 7.2 


20. Apache Web server market-share percentage in May 2006: 64.76 


1: Gartner, Inc. (via CIO Insight) | 2-14: CIO Insight | 15: CMPnetAsia | 16: LinuxDevices | 17: Knight Ridder Newspapers | 
18-20: Netcraft.com 


—Doc Searls 


Open source is a great way for a small, hungry company to build on a sophisticated platform 


= + 
] hey Saicl It and get a competitive edge—an edge that’s precisely tailored to their specific needs—far more 


cheaply than it could with proprietary software. 
—Eric Von Hippel, www.cioinsight.com/article2/0,1540,1959013,00.asp 


If nobody is dismissing you as hype, you are not loud enough. 
—Bruce Sterling (at SXSW 2006) 
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Linuxfest Northwest 2006 


Linuxfest Northwest, the largest users group conference 
in the Pacific Northwest, is held annually in Bellingham, : Danny O’Brien from the EFF; 
Washington, 20 miles south of the Canadian border, — 4 his T-shirt says, ++ungood 
less than two hours from Seattle by car. Linuxfest is put a 
on each year by the Bellingham Linux Users Group in a 
joint effort with other users groups from the area. 
Linuxfest is always free of charge and open to all; this 
year, an estimated 800 people attended. 

Each year, | am impressed by the top-notch pre- 
sentations Linuxfest manages to get. More than 40 
presentations covered topics from general interest to 
advanced systems administration. Presenters included 
people from IBM, Novell, Sun Microsystems and 
Oracle. Also, for the third year, Chuck Wolber held 
the Alpha Geek competition. There were only four 
time slots for all these presentations! They easily 
could expand Linuxfest to a two-day festival, without 
even needing to get more presenters. 

Danny O’Brien of the Electronic Frontier Foundation 
(EFF) gave a presentation called “Incoming! What's on 
the EFF’s Radar”. He briefly explained the EFF and then 
covered the topics that the EFF currently is most worried 
about. He is a very engaging speaker. 

Todd Trichler of Oracle explained “Oracle 
Contributions to Linux"—why Oracle is good for Linux 
and Linux is good for Oracle. Oracle has made numer- 
ous contributions to Linux, including the Oracle Cluster 
File System (OCFS2), which is now in the main kernel. 
Oracle has its own team of Linux kernel developers, and 
this lets Oracle provide complete support—no matter 
what breaks in a Linux Oracle system, they can fix it, Ted Haeger (Reverend Ted) from Novell. 
period. They cannot offer that level of support for any 
proprietary operating system. 

Ted Haeger of Novell showed off the results of 
“Desktop Innovation on Linux at Novell”—changes 
inspired by usability testing, new desktop search 
features (Beagle), a music player (Banshee), a photo 
manager (F-Spot) and a whole bunch of slick 3-D- 
accelerated eye-candy effects. 

Linuxfest is hosted each year by the Bellingham 
Technical College (BTC), which is a perfect venue for 
a technical conference. The BTC culinary arts students 
served up a barbecued salmon lunch again this year; 
the weather turned rainy, but people braved the 
elements to get the salmon. 

The exhibits room included Google recruiters; Linux- 
related businesses, such as Pogo Linux; users groups; 
Internet hosting services; free software projects, such 
as Ubuntu Linux and MySQL; and a computer hardware 
swap meet. 

The day finished with the annual fund-raising raffle. 
Several thousand dollars’ worth of donated prizes 
included server hosting services for up to a year. 

Linuxfest Northwest 2007 is already being planned 
for Saturday, April 28, 2007. Be there if you can! 


—Steve Hastings 
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eBay Web Services 


Access eBay development and test support in addition to its comprehensive 


Web services API. 


eBay’s Web services API allows programs to search through 
on-line auctions, but only if the programmer doesn’t get too 
frustrated first. 

During the past few months, we have looked at the Web 
services offered by two of the largest companies on the 
Internet, Amazon and Google. Each of these companies has 
enormous databases at the core of their businesses. By open- 
ing up some of that data to the public via Web services APIs, 
they have made it possible for outside developers to create 
new and interesting applications. No longer must we write 
“screen scraper” programs that parse the HTML produced by 
Amazon or Google. Now, we can write a program that 
requests precisely the data we want and receives it in exactly 
the format we need. 

Another major on-line contender is eBay, and its database 
of on-line sales might well be the largest ever assembled. eBay 
began solely as a site for on-line auctions, but it has moved far 
beyond that in recent years—with a fixed-price subsidiary 
(Half.com), fixed-price sales on the main eBay site (Buy it now) 
and third-party “stores” where people sell a variety of goods 
for a fixed or variable price. 

For several years, eBay has run a developer program for 
programmers interested in tapping into its database. However, 
until recently, this developer program required that developers 
pay in order to participate. From a business perspective, it 
might have initially seemed foolish for eBay to give away 
access to its sales database, particularly when the developer 
program clearly costs money to set up and maintain. Whether 
it was due to pressure from Amazon and Google, or from 
individual developers, or if eBay simply decided that it would 
benefit from additional publicity and outside developers, 
eBay dropped fees—making it possible for everyone to try 
this service. 

This month, we look at several aspects of the eBay Web 
services API. The API is too rich and extensive to discuss fully, 
so we look at the functionality that | believe most people will 
be interested in using—namely, that which lets you search 
through existing eBay auctions for items that are of interest. 
By the end of this article, you should understand how the 
API works, how to write programs that use REST to search 
through eBay's database and how to use that information 
for personal and business needs. 


Getting Started 

The idea behind Web services is quite simple. Instead of treat- 
ing an HTTP transaction as a request for an HTML document, 
why not think of it as a remote procedure call? The HTTP 
request then becomes a method for invoking a procedure on 
a remote server, with the URL indicating which method 
should be invoked and the HTTP response containing the 
result of the call. In nearly all cases, the response is an XML 
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document, allowing for the invoked procedure to return a 
complex data structure. 

There are at least three different styles for invoking a 
Web service, and eBay supports all of them. SOAP is perhaps 
the most sophisticated method, using XML in both the 
request and the response, but it is also the most complex 
and the most likely to run into cross-platform incompatibili- 
ties. This is partly because SOAP has tried to standardize all 
of the possible method calls, data types and scenarios that 
might be needed—leading to a somewhat bloated specifica- 
tion and many places where vendors disagree on how best 
to adhere to the specification. 

eBay also supports invoking Web services with what it calls 
the XML API. Because SOAP also consists of XML, | find this 
terminology to be a bit confusing, but Amazon also describes 
things in this way. So, until someone creates a useful acronym 
or name, we're stuck with it. APIs based on XML are basically 
stripped-down versions of SOAP, without much of the over- 
head associated with it, such as namespaces and highly 
specified methods to marshal complex data structures. eBay 
says it is possible to use either XML or SOAP to access the 
full functionality of its Web services. 

f | had to choose between SOAP and XML, | usually would 
use XML. But eBay provides a third interface, which is more 
limited than the SOAP and XML APIs, but far easier to work 
with. This third option is known as REST (short for representa- 
tional state transfer), and anyone familiar with URLs should 
immediately understand how it works. The parameters are 
passed in the URL, using the standard name=value syntax. A 
REST invocation thus looks like http:/www.example.com/ 
method?param1=value1 &param2=value2. 

REST invocations are useful only for searching through 
eBay's catalogs. If you want to monitor sales, adjust your 
shopping basket, add listings to your store or even send 
messages to sellers and buyers, you must use the XML 
or SOAP API. The size of the API documentation says it 
all: eBay's REST documentation is 29 pages long, and 
documentation for the SOAP and XML APIs is more than 
1,600 pages long in each case. 

Because the application we are building is supposed to 
search only through existing offers, rather than add a new item 
for sale, we can get away with using the REST API. The REST 
API makes it easier to jump right in, and it provides all of the 
functionality with less programming overhead. 


Registration 

Before you can use eBay’s Web services, you first must register. 
I'll now say something I've never had to say before in the histo- 
ry of writing this column: | cannot guarantee the directions | 
provide here will work. | had an extremely difficult time regis- 
tering with eBay’s developer system, despite spending hours 
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trying to do so, and | worry that many readers of this column 
will face similar challenges. 

The first confusing issue is the fact that eBay has several 
different computer systems, each with its own user database. 
The first (www.ebay.com) is the main, regular eBay system, 
on which you already have a user name and password if you 
ever have bought or sold something on eBay. 

A second system (www.sandbox.ebay.com), known as 
the sandbox, is where eBay developers can test their applica- 
tions without having to use up their monthly quota of 
requests (described in greater detail below) and without 
having to risk damaging a working on-line store. You can do 
anything you want inside of the sandbox, including create 
new users (to simulate interactions with those users), but 
the database is separate from the main eBay site. 

Finally, there is the eBay developer site (developer.ebay.com), 
which allows access to the APIs, certification of applications 
and documentation. Access to this site requires a third user 
name and password. 

| suggest that aspiring eBay developers register with all 
three of these sites—starting with the main eBay site, continu- 
ing with the developer site and ending with the sandbox. 
Technically speaking, you don't need to register with the sand- 
box if your applications will be used only on the production 
eBay system. However, | found enough places in which URLs 
mistakenly took me to the sandbox, rather than the developer 
site, so obtaining a sandbox login would be a prudent move. 
Was | sent to the sandbox because it’s the same as the devel- 
oper site? Because of a bug? Because of something that went 
wrong in my configuration? | wish | could say; | spent a great 
deal of time trying to figure it out and am simply trying to 
avoid pain for readers of this article. 

Part of the confusion is that the sandbox looks and feels 
exactly like the regular eBay site. This is largely a good thing, 
except that it means the only way to distinguish between the 
sandbox and the usual eBay site is by looking at the URL. Even 
confirmation e-mail messages from the sandbox were identical 
to e-mailed notices from the production eBay site. 

Once you have all three logins, you need to generate a 
set of production keys: a developer ID, an application ID 
and a certificate ID. These IDs uniquely identify you and 
your application, although the role of each key is not obvi- 
ous to me. (The eBay documentation indicates that each 
application has its own key, but | could not figure out how 
to generate a new set of keys for a separate application.) 
Each developer may have only one set of such production 
keys. Although the term application ID implies that there 
would be a separate key for each application you create, 
this does not seem to be the case. 

If you are going to use eBay's production system, then you 
need to certify your application. There are two levels of certifi- 
cation. One, known as self-certification, allows you to make 
up to 10,000 requests to eBay’s servers per month. Self- 
certification, as its name implies, requires that you fill 
out a short Web-based form describing your application. 
Upon submitting the form to eBay’s server, you are sent 
an e-mail indicating that your application has been self- 
certified. This e-mail message contains a link to a URL from 
which you can pick up your production keys, as well as a 
code that you must enter to retrieve those keys. 

Using this confirmation code, you then return to the 
eBay developer site, where you enter it. This results in the 
generation of your three production keys: the devID, appID 
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and certID (sometimes referred to in the documentation 
as AuthCert). 

If you are planning to use XML or SOAP, this is the end of 
the certification process; your application will need to send 
these IDs in the HTTP request headers. But we are using REST, 
which is supposed to simplify things—and although our actual 
method invocations eventually will be simpler than the XML 
and SOAP alternatives, we have not quite finished our task if 
we want to use REST. 

This is because REST parameters are passed in the URL, 
and it would seem that eBay has (rightly) decided that pass- 
ing the devID, appID and certID parameters would be ugly 
and unnecessary. To use REST, it is necessary to create a 
REST token, which creates a new, encoded string based on 
the three production keys. To generate the REST key, go to 
the REST token site, at developer.ebay.com/tokentool. 
Indicate that you want to use the production environment, 
that you want a REST token, and then enter your three 
production keys. 

Then, if you're like me, you'll get an error message. Try as | 
might, | couldn't get past an eBay login screen that was dis- 
played each time | tried to generate the REST token. Needless 
to say, | was quite frustrated by this point, and | began to 
wonder how (and why) a multibillion-dollar company could 
make it so difficult for developers to use its API. (In contrast, | 
was up and running within about 30 minutes after deciding to 
use the Google, Bloglines and Amazon APIs. The difference 
couldn't be starker.) 

| never really figured out what happened. Perhaps | wasn't 
logged in to eBay, although | thought | was logged in to all 
three sites (the main site, sandbox and developer site). It also 
could be that | was using Firefox, which is known to have 
problems with the registration. In the end, | used a different 
browser just so | could get the REST token. There were some 
messages on the eBay developer forums indicating that other 
Firefox users were having similar problems. It might have had 
to do with one of eBay's SSL certificates expiring several 
months earlier, although | doubt it. It seems to me that the 
login portion of eBay's site is in need of better quality control. 


Making Queries 

Once you have gotten through the registration nightmare, you 
can make queries. The REST API is well documented and is 
quite straightforward to use. First, let's look at a simple pro- 
gram that sees how many matches we can find to a particular 
text string. The program, shown in Listing 1, is written in Ruby 
and is similar to some of the Amazon- and Google-searching 
programs presented during the past few months. 

The program begins by retrieving our search parameters, 
automatically placed in the ARGV variable. We iterate over 
each element of ARGV, calling each individual argument 
query_string. We then use a hash to create an easily under- 
stood set of name-value pairs, in which the hash keys are 
the parameter names and the hash values are the parameter 
values. We then use a bit of Ruby magic to combine them, 
first turning them into pairs with map, and then using join 
to connect the pairs together with &. In the end, we have a 
string we can pass to eBay's server. 

In this particular example, we're using the Query method 
in the REST API. Query allows us to enter a text string, for 
which eBay will then search. The way that eBay has grown 
somewhat organically over the years becomes apparent 
when you use its Web services. You must explicitly indicate 
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Listing 1. 


ebay-lookup.rb 


#!/usr/bin/ruby 


require 'net/http' 
require 'rexml/document' 


if ARGV.length == 
puts "#{$0}: You must enter at least one argument." 
exit 

end 


output = "" 


# Iterate through each of our arguments 
ARGV.each do |query_string| 


output << "Searching for: #{query_string}\n" 


# Put together an eBay parameter string 
ebay_params = {'CallName' => 'GetSearchResults', 
"RequestToken' => 'XXX', 
"RequestUserId' => 'YYY', 
"Schema' => 1, 
"ItemTypeFilter' => 3, 
"SearchInDescription' => 1, 
'StoreSearch' => 3, 
‘DetailLevel'’ => 3, 
"Query' => query_string}.map {|key,value| 
"#{key }=#{value}"}.join("&") 


# Ask eBay what it Knows about our query_string 
ebay_response = Net::HTTP.get_response('rest.api.ebay.com', 
'/restapi?' << ebay_params) 


xml = REXML: :Document.new(ebay_response. body) 


# Get basic information 
how_many_matches = 
xml.root.elements["PaginationResult/TotalNumberOfEntries"].text 


output << "Number of matches: #{how_many_matches}\n" 
end 


# Show everyone what we've learned 
puts output 


if you want to search in stores as well as auctions. We also 
must indicate whether we want auction items, fixed-price 
items or both. Thus, our example searches through all stores 
(because StoreSearch = 3), auctions and fixed-price items 
(ItemTypeFilter = 3), in descriptions as well as item titles 
(SearchInDescription = 1), and with a fair amount of detail 
returned (DetailLevel = 3). 

We also indicate we want Schema = 1. This tells eBay we 
want to receive a response using eBay's new XML schema, 
rather than the older one that is now being deprecated. 

We then take ebay_params, a string created from our 
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name-value pairs, and pass it to Net::HTTP.get_response. This 
sends an HTTP request to eBay’s server (rest.api.ebay.com), 
using the appropriate path (/restapi), followed by our 
name-value pairs. 

When we get a response—and our sample code here 
assumes that we do receive a response—we expect that it 
is formatted in XML and parse it using Ruby’s built-in 
REXML library. We grab the total number of entries in 
eBay's database containing this search string and use the 
ext method to extract the text from between the 
<TotalNumberOfEntries> tags. Finally, the program displays 
its output, showing us how many items on eBay contain 
his text string. 

The API is relatively fast, allowing us to perform 
ookups for a particular string in relatively short time. That 
said, popular search strings can take far longer than rare 
words. A search for an ISBN took 1-2 seconds on my com- 
puter and indicated how many sellers were offering that 
ISBN for sale. A search for the term auction, not surpris- 
ingly, took more than 30 seconds to return a result and 
indicated that 29,458,603 sellers mentioned that term in 
the title or description. Obviously, the choice of search 
term, as well as the number of sellers and the quantity of 
text searched for that term, will have a significant effect 
on the performance of your application. 

eBay's API makes it possible to perform Boolean searches 
of various types. Putting two words together within quotation 
marks (URL-encoded, of course) allows you to search for a 
phrase. You can search for two words in the same auction by 
linking them with commas. 

You also can include and exclude particular sellers. If you 
are a seller on eBay, you might want to look at all of your 
items—or all of your competitors’ items, ignoring yours. These 
functions make it easier to navigate through the complex 
world of eBay, which sells a staggering variety of goods from 
all over the world. 


Differences and Considerations 

eBay's API, particularly for SOAP and XML, is rich and 
extensive. This is in addition to the simple, but limited, 
REST API that we used for the example in Listing 1. 
However, eBay's tagging of metadata, or information 
about each listing, is rather limited, especially when com- 
pared with Amazon. Perhaps this is because of the differ- 
ence between the two sites. Amazon, as a vendor with 
inventory, knows and can pull up information about each 
item's dimensions, weight and ISBN. By contrast, eBay's 
only real information about each sold item is its catego- 
rization, asking price (and bidding information) and the 
text used to describe it. 

There is a provision in the SOAP and XML APIs to look for 
items by ExternalProductID, which can be an ISBN or UPC. But 
when it comes to metadata describing each object, Amazon 
has beaten eBay hands down. 

Amazon also is friendlier when it comes to registration and 
usage. Amazon makes it easy to register and easy to get start- 
ed. Its forums are full of friendly people with useful advice. 
And, it sets relatively straightforward rules of use for its data. 

eBay also differs from Amazon in how many queries it 
allows an application to make. Amazon doesn’t restrict the 
number of queries, except by saying there should be no more 
than one per second, per IP address. eBay, by contrast, has a 
10,000-query limit for each application. However, this limit can 
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results they return. Each page from eBay 
contains up to 400 items, as opposed to 
Amazon's ten. In both cases, you can request 
subsequent “pages” of data, until you get 
information about all of the listings that 
matched your query. In this case, eBay's larger 
format is a significant improvement for people 
looking for popular items that might be avail- 
able from many sellers. 

Finally, eBay offers a dashboard showing 
which calls you have made and which were 
not compliant with its compatibility rules. 
This is an excellent feature—especially the 
part where it tracks how many queries suc- 
ceeded and failed. | don’t expect many of 
my REST queries to fail after | have 
debugged them, but it’s possible that this 
could happen. 

The bottom line is that I'm far more 
impressed with everything having to do 
with Amazon's Web services. eBay clearly 
is trying to improve things, with extensive 
documentation, developer forums and 
a help desk offering paid support. 
Nevertheless, it remains far inferior to 
what Amazon is offering. And, although 
they are not directly comparable, they also 
are inferior to Google's offerings in the 
Web services arena. 

That said, eBay is a major player in the 
e-commerce world, and access to its data 
might well be worth the pain you encounter 
in using it. Plus, once you have gotten over 
the registration hurdles, you likely will be using 
only a handful of API calls, with minor tweaks 
and changes over time. 
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developers to use, it’s possible to glean all 
sorts of data from eBay's stores and auctions. 
Unfortunately, this all comes with a price; 
with less metadata and an unnecessarily 
confusing registration process, eBay's offering 
is far less impressive than it could be.m™ 


Resources for this article: 
www.linuxjournal.com/article/9066. 


Reuven M. Lerner, a longtime Web/database consultant, is currently 
a PhD student in Learning Sciences at Northwestern University in 
Evanston, Illinois. He and his wife recently celebrated the birth of 
their son Amotz David. 
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Searching for the Ultimate 
Desktop Enhancements 


When you decide to go looking for the Ultimate Linux Box, consider that you 
may already have it. All you need are the right tools, and your search is over. 


Francois! The kitchen is a disaster! What are all these 
computers and computer parts doing all over the floor? 

| nearly broke something tripping over the stack of hard 
drives you conveniently put right inside the door. You are 
rying to build the Ultimate Linux Box? Yes, | know it's the 
heme of this month's issue, but you can achieve that goal 
without making the place look like a parts superstore. 
Honestly, mon ami, must we go through this every time 
his issue appears? Last year, it was a supercomputer clus- 
er. This year, it’s...what are you building anyhow? 

Never mind. It is my belief, Francois, that the Ultimate Linux 
Box isn't necessarily the one with the fastest processor or the 
one with a googolbyte of RAM, although that certainly would 
be very cool. It’s the box that lets me get access to the infor- 
mation | want right now. Luckily, that Linux system is often the 
one we are already running—with a few enhancements, that 
is. You might think you have to go a long way for those 
enhancements, but some already are installed as part of your 
Linux system. What you must do is turn them on. I'll explain 
later, mon ami. It appears that our guests have arrived. 

Welcome, everyone! It is wonderful to see you all here 
at Chez Marcel, where exquisite wines meet exceptional 
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Figure 1. Several applets are available. Scroll down and select the dictio- 
nary and weather applets. 
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Linux and open-source software. Sit down and make your- 
selves comfortable. Francois, please head down to the wine 
cellar. There are two cases of 1999 Elia Brunello by 
Colleceto Di Palazzesi from Tuscany, Italy, in the East Wing. 
Please, hurry back. I’m sure our guests are more than ready 
for a glass of wine. 

It is good to have you here, mes amis. Francois and | 
were just discussing what can transform a great Linux box 
into the Ultimate Linux Box, and | was suggesting the 
answer might be software. 

Whenever | sit down to a new Linux desktop, the first 
change | make is to the panel, whether it be KDE or GNOME. 
Each environment can incorporate applets into the panel— 
compact little extensions or programs that can give you access 
to resources or information at a glance (or a click). One of the 
most useful | know of is the dictionary applet. Second to that 
is the weather applet, which, if | can’t look out of the window, 
lets me know the weather conditions outside. 

Adding these applets is easy. If you are running KDE, right- 
click on a blank section of your Kicker panel and select Add 
Applet to Panel. The Add Applet dialog appears with a list of 
programs you can use to populate your Kicker panel. Each pro- 
gram (or applet) is listed alphabetically with a short description. 
Look for the dictionary applet and the weather applet as well. 
To add an applet, simply click the Add to Panel button. 

To use the dictionary, simply enter a word. There's no con- 
figuration for the dictionary applet, but you need to right-click 
on the weather icon to configure it for your location. GNOME 
desktop users follow an almost identical process for installing 
applets. Right-click on the bottom (or top) panel and select 
Add to Panel. A window of the same name appears with a list 
of available applets (Figure 2). Once again, select Dictionary 
Look up and Weather Report. Click Add, or drag your applets 
to the panel in the location of your choice. 

As with the KDE example, you need to configure the 
weather applet by right-clicking and selecting Preferences. 
Whether you are running KDE or GNOME, clicking on the 
weather icon brings up a detailed report of your local 
conditions. Check out Figure 3 for a sample of these applets 
on both desktops. 

Now, our desktops have become increasingly useful 
with only a little change. We are constantly up to date on 
weather conditions, and we can do word searches from the 
panel. Speaking of applets and searches, here’s another 
great one—this time for GNOME users. It’s called Deskbar, 
and it’s another must-have. Deskbar is a one-stop infocenter 
that uses a system of plugins to give you dynamic searches 
in all those places that are important to you. It can do 
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Figure 4. Deskbar is your one-stop search field. It can help you locate information on the Web, con- 
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lookups on your favorite search engine, search through 
your address book, find files, open files or folders for you, 
locate applications and more (Figure 4). 

To get Raphael Slinckx's Deskbar on your panel, load it 
from the applet Add to Panel dialog in GNOME. Recent 
distributions should have it included, but if it isn’t there, 
check out the Web site (see the on-line Resources). You 
always can download source, but binaries also are avail- 
able on the site for a number of popular distributions. To 
use Deskbar, simply type in the term for whatever you are 
seeking, and it will do the rest. 

When | mentioned plugins, what | didn’t say is that not 
all of them are activated by default (though most are). For 
instance, Deskbar will not only post your search to Google, 
but it also will search as you type. This is Google Live and 
requires that you have an account with Google. Once you 
do, you can activate this plugin. In other cases, such as the 
dictionary search, you'll find that the plugin is inactive pri- 
marily because the dictionary applet already serves that 
function. To activate (or deactivate) plugins, right-click on 
Deskbar and select Preferences. 

Deskbar even can search using Beagle if you have the 
package installed. Beagle, you ask? Ah, that might take a few 
minutes. Perhaps we should have Francois make sure all your 
glasses are full while | set things up on this end. 

Beagle is a desktop search engine. It is designed to 
bring to the desktop what search engines like Google 
bring to the Web. Beagle indexes your documents, presen- 
tations, notes, music, images, e-mail (KMail and Evolution) 
and a whole lot more. Beagle is in the early stages of 
development, but it is already very usable and fast. To stay 
on the leading edge of this exciting project, you really 
need to build it from source, which, | admit, can be daunt- 
ing while you seek out all of the appropriate prerequisite 
packages. However, a visit to the Beagle Web site (see 
Resources) will point you to binaries for many popular 
distributions, including SUSE, Fedora, Mandriva, Ubuntu 
and others. Some distributions have Beagle in their down- 
load or contrib sites, so check there first. 

Beagle does its indexing in the background with the 
use of a demon named beagled. You can start beagled at 
the command line (you do not have to run as root), or you 
can fire up the Beagle search window. That program is 
named beagle-search. When you start the program, it 
looks for the running Beagle demon. If it doesn’t find it, a 
button on the search window lets you launch the process. 
Beagle starts indexing immediately, but if you have a lot of 
data—and don’t we all—it may take a while before you 
can do a comprehensive search. 

Searching is child's play. Simply type your search term 
in the Find field, and Beagle immediately returns every- 
thing it finds relevant to your search (Figure 5). By default, 
it locates information based on the date. Click Sort on 
Beagle's menu bar, and you can change the sort criteria to 
Name or Relevance. 

Beagle originally was written as a GNOME project, but it 
works very well in a KDE environment and makes no distinc- 
tion as to what environment you run. You can use the default 
beagle-search interface with KDE, but you may want to take a 
look at Stephan Binner’s Kerry Beagle, a great KDE interface to 
the Beagle desktop search. Kerry provides some great addi- 
tional enhancements, including a system tray icon so that the 
search interface drops nicely out of sight when it’s not needed. 
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Some distributions have the package in their contrib repositories (SUSE 
and Kubuntu, to name a couple), but source also is available from the 
KDE-Look.org site (see Resources). 

When you run Kerry Beagle, it starts minimized with a magnifying-glass 
icon in the system tray. Click the icon to bring up the search window or 
press Ctrl-Shift-spacebar. When the search dialog appears, it checks to see 
if the Beagle daemon (beagled) is running. If it isn’t, you are given the 
opportunity to start it now. To search for a term, enter it in the Search field 
at the top and click Find. Search results appear below, with a default of 
five to a page (Figure 6). 

Your total number of results is listed in the bottom left. Click Next 
Results to see the next five items. You can change this default of five by 
right-clicking on the system tray icon and selecting Configure Kerry. Aside 
from the number of search results per page, the configure dialog lets you 
add additional folders to index (and others to exclude from indexing). 
Having to start the Beagle daemon each time you log in can be a pain. 
Luckily, automatically starting the damon when you log in to KDE is 
another thing you can set through the configuration menu. 

The clock on the wall, mes amis, she is telling us that the hour is late. 
We soon should be heading home to dreams of our own individual ulti- 
mate Linux systems. Francois no doubt will try to create something out of 
the chaos in kitchen. In the meantime, | know that he would be delighted 
to refill your glasses one more time before we say good night. Please raise 
your glasses, mes amis, and let us all drink to one another's health. A votre 
santé! Bon appétit/= 
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Figure 5. Beagle’s desktop search is fast and simple. 
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DAVE TAYLOR 


' End Game 


Want to bet you can find a problem in our final Blackjack script? 


This is the last column in our Blackjack series, and in this 
column, | show the final snippets of code needed to weave 
all of the disparate pieces of the game script into a 
playable game. For obvious reasons, | can’t present the 
entire script here in the magazine (it's almost 300 lines 
long), so instead | highly encourage you to pop over to the 
Linux Journal FTP site and grab a copy of the script as you 
read along (ftp.ssc.com/pub/lj/listings/issue148/9051.tgz). 
As with many betting games, Blackjack has evolved to have 
many esoteric rules with splitting pairs, insurance and various 
other things that take something relatively simple and make it 
more complex. We'll ignore all of that, however, and also 
ignore the betting component of the game too (this is a [geek] 
family magazine, after all) and just focus on the game play. 


Dealer Gets One Card Up 

Therefore, the first thing we need to know is that the player can 
see both cards as dealt and one of the two cards that the dealer 
deals for itself. That’s the first piece of code we need to add, 
and because we aren't allowing insurance or betting, it needs to 
be included immediately after the tests for blackjack in the code: 


echo -n "** Dealer's hand: " 

showCard ${dealer[1]} ; echo -n "$cardname, " 
echo "(card face down)" 

echo “" 


From a strategic perspective, if you have even a rudimentary 
grasp of probability, you'll know that cards with a value of ten 
are far more likely than any other card value in the deck. If the 
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dealer has an eight or nine showing, for example, odds are very 
good that it has 18 or 19 as a hand value. That'll, therefore, 
change your own playing strategy too, perhaps making it more 
likely that you'd take another card if you have an interim hand 
value of 17; whereas, if the dealer had a five showing, for exam- 
ple, you might be more likely to stick with a hand value of 16. 

In previous columns, you've already seen the basic script to 
display and calculate a hand's value, so this is nothing new: 


echo -n "** Dealer's hand: " 
showCard ${dealer[1]} ; echo -n "$cardname, " 
showCard ${dealer[2]} ; echo "$cardname" 


handValue ${dealer[1]} ${dealer[2]} 


But, now we’re going to add a loop below this that will 
keep taking cards until the hand value is 17 or higher (that’s 
standard Las Vegas Blackjack rules: 16 and lower the dealer 
“hits” or takes another card, and 17 or higher the dealer 
“stands” or sticks with its hand). 

This is a bit tricky, so take your time reading it: 


while [ $handvalue -1lt 17 ] 
do 
dealer [$nextdealercard]=${newdeck[$nextcard] } 


showCard ${dealer[$nextdealercard] } 


nextcard=$(( $nextcard + 1 )) 
nextdealercard=$(( $nextdealercard + 1 )) 


echo "" ; echo "** Dealer takes: $cardname" 


handValue ${dealer[1]} ${dealer[2]} ${dealer[3]} \ 
${dealer[4]} ${dealer[5]} 
done 


With some good routines and variables already in place, it 
turns out to be surprisingly succinct to have the dealer play its 
hand out. Hurray for that bit of good design! 


Who Won the Game? 

Now that we have the game-play logic, it’s simply a matter 
of having the set of conditionals to figure out who won or 
whether the game ended with a tie: 


if [ $handvalue -gt 21 ] 
then 
echo "**** Dealer busted! 
$playerhandvalue!" 
playerwin=$(( $playerwin + 1 )) 
elif [ $handvalue -eq $playerhandvalue ] 
then 


Player wins with \ 


echo "**** Dealer and player tie with \ 
$handvalue points." 

elif [ $handvalue -1t $playerhandvalue ] 

then 
echo "**** Player wins with $playerhandvalue" 
playerwin=$(( $playerwin + 1 )) 

else 
echo "**** Dealer wins with $handvalue" 
dealerwin=$(( $dealerwin + 1 )) 

i 


Whaddya think? Enough code listings? 
Let's see how the game plays now: 


$ sh blackjack.sh 

**** Welcome to Blackjack.sh! **** 

Dealer's hand: Queen of Hearts, (card face down) 
You've been dealt: 2 of Spades, 7 of Hearts 
H)it or S)tand? (recommended: hit) hit 
You've been dealt: 10 of Diamonds 

H)it or S)tand? (recommended: stand) stand 
You stand with a hand value of 19 

Dealer's hand: Queen of Hearts, 4 of Hearts 
Dealer takes: Queen of Clubs 

**** Dealer busted! Player wins with 19! 


You can see that we had 2S and 7H (9 points), took a card, 10D, giving 
us 19 points. We stayed with that, and the dealer revealed that it had QH 
4H, 14 points, and took another card which proved to be QC, which took 
the dealer over 21 points. We won! 

There are a few more nuances to the program, including keeping track of 
how many times the dealer or player wins, and at the point where you're asked 
“hit or stand”, you now can type in quit (or q) to quit. Then, it'll show you: 


H)it or S)tand? (recommended: stand) q 


Player quits. Standings: dealer wins: 5 and player wins: 3 


There’s Still a Bug 

There's also one outstanding bug in the code, and | invite you to dig around 
and figure it out. If the dealer is dealt an Ace in play, it’s automatically counted 
as 11 points, not one or 11, as it should be. Your challenge: figure out 
where that problem arises and how to fix it. If you think you know, e-mail 
me your proposed solution (perhaps a diff of your version versus the version 
on the Linux Journal FTP site), and we'll see how you did. 

Next month, we'll crack open a completely different shell script 
task and see what we can do to help your day-to-day Linux adminis- 
trative tasks, because we've probably wasted plenty enough ink on a 
casino game for this year! See ya then.m™ 


Dave Taylor is a 26-year veteran of UNIX, creator of The Elm Mail System, and most recently author of 
both the best-selling Wicked Cool Shell Scripts and Teach Yourself Unix in 24 Hours, among his 16 
technical books. His main Web site is at www.intuitive.com. 
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MICK BAUER 


An Introduction 
to Novell AppArmor 


Who says “easy-to-use mandatory access controls” is a contradiction in terms? 


In my article “Security Features in SUSE 10” (LU, April 2006), 
| described Novell AppArmor, a partial implementation of 
mandatory access controls (MACs) that is now part of SUSE 
Linux. Since that writing, Novell has released the source code 
of AppArmor under the GPL. It’s entirely possible that in the 
near future, AppArmor will be ported to other Linux distribu- 
tions that support Linux security modules. 

This is great news. In my opinion, AppArmor represents 
a major step forward in making MAC technology a feasible 
option for system administrators who want strong security 
controls but don’t have the time or patience to configure and 
maintain a complicated “trusted OS” such as SELinux. 

This month, | introduce the concept of mandatory access 
controls, describe the difference between Novell AppArmor 
and NSA SELinux, and show you how to get started with 
AppArmor on your SUSE systems. 


Introduction to Mandatory Access Controls 
The easiest way to describe mandatory access controls is to 
contrast it with discretionary access controls (DACs). Most 
general-purpose operating systems use a DAC security 
model, in which the owner of a given system resource (file, 
directory and so forth) can set whatever access permissions 
on that resource they like. Stringent security controls, in 
general, are optional. 

By contrast, a computer with MAC has a global security 
policy to which all users of the system are subject. A user who 
creates a file on a MAC system generally may not set access 
controls on that file that are weaker than the controls dictated 
by the system security policy. 

ost DAC implementations have several major problems, 
emphatically including both Windows and Linux (except SELinux). 
First and most obvious is that, as with any scenario involving 
human beings, making any type of work optional all but ensures 
that work won't get done very often. It takes work to use careful 
security settings consistently, even in a DAC system. 

Another problem with DAC is that DAC-based OSes tend 
to have a “winner take all” security model, in which the only 
way to get anything important done on the system is through 
the superuser account (root in Linux/UNIX, Administrator in 
Windows). Wholly compromising a system using such a security 
model is generally a simple matter of hijacking some process 
on that system that runs with root/Administrator privileges. 

On a MAC-based system, however, the only thing the 
superuser account is used for is maintaining the global security 
policy. Day-to-day system administration is performed using 
accounts that lack the authority to change the global security 
policy. As a result, it’s impossible to compromise the entire sys- 
tem by attacking any one process. (Attacks on the superuser 
account are still possible, however; for example, by booting the 
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system into single-user mode from its physical console.) 

If mandatory access controls are superior to DACs, why 
aren't they ubiquitous? Unfortunately, although MAC schemes 
have been available on various platforms over the years, they 
traditionally have been much more complicated to configure 
and maintain than DAC-based operating systems. Creating an 
effective global security policy requires detailed knowledge of 
the precise (intended) behavior of every application on the 
system. Furthermore, the more restrictive the security controls 
are on a given system, the less convenient that system 
becomes for its users to use. 


AppArmor vs. SELinux 
AppArmor isn’t the first mandatory access control scheme for 
Linux, nor is it the most comprehensive. It shares DNA, so to 
speak, with SELinux, a project of the US National Security 
Agency. (The shared DNA is the Linux Security Modules, which 
provide kernel support for MAC.) 

SELinux is a bundle of kernel modules and user-space 
configuration tools that implement three different types of MAC: 


1. Type enforcement (TE): associates a security “label” with 
every system object. 


2. Role-based access controls (RBACs): define particular actions 
and contexts in which system objects may be involved. 


3. Multi-level security (MLS): defines access controls against 
objects based on data classification (sensitivity). 


In SELinux, all three types of access controls (TE, RBAC 
and MLS) are applied across the entire operating system. 
This requires major system applications to be SELinux-aware 
wherever possible, and it also requires extensive setup by a 
knowledgeable system administrator (that is, one who has 
carefully researched SELinux). On the one hand, SELinux is 
truly comprehensive. On the other hand, configuring it is a 
fairly major undertaking. 

Novell AppArmor has a more modest objective: to restrict 
the behavior of selected applications in a very granular but tar- 
geted way. In focusing on applications (at the expense of roles 
and data classification), AppArmor is built on the assumption 
that the single biggest attack vector on most systems is appli- 
cation vulnerabilities. If the application’s behavior is restricted, 
the behavior of any attacker who succeeds in exploiting some 
vulnerability in that application also will be restricted. 

For example, suppose you're running a Web application 
that runs as user nobody and uses user input to update a local 
text file. On a typical system, if an attacker compromised that 
Web application, for example, by sending unexpected input, 
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the attacker might succeed in gaining a remote shell with the 
privileges of nobody. If that Web application were protected 
by AppArmor, however, all the attacker would be able to do is 
alter that single text file. It wouldn't be possible for the attacker 
to spawn a remote shell (an unexpected action) or to read or 
write any other files. 

Comprehensive? By no means. For non-AppArmor-protected 
applications, the usual (limited) user/group permissions still 
apply, no controls regarding data classification are provided, 
and normally, only a subset of applications on the system 
have AppArmor profiles. 

For the most part, root is still root, and if you use root 
access in a sloppy or risky fashion, AppArmor generally won't 
protect you from yourself. But, if an AppArmor-protected 
application runs as root, and becomes compromised some- 
how, that application's access will be contained, root privileges 
notwithstanding, because those privileges are trumped by 
the AppArmor policy (which is enforced at the kernel level, 
courtesy of Linux security modules). 

AppArmor is therefore only a partial implementation of 
mandatory access controls. But on networked systems, appli- 
cation security is arguably the single-most important area of 
concern, and that’s what AppArmor zeros in on. What's more, 
AppArmor provides application security through an easy-to- 
use graphical user interface that is fully integrated with YaST. 
(GUI tools are now being developed for SELinux as well, but 
just how easy to use these are is open to debate.) 

Still, I'm stopping well short of suggesting AppArmor 
is interchangeable with SELinux. If, for example, you run 
Linux in a multiuser environment (in which users have shell 
or database accounts) involving highly sensitive data, there 
really is no substitute for the comprehensive layers of 
access controls in SELinux. 


Getting Started with AppArmor 
Although AppArmor’s open-source license hopefully will 
lead to ports on other Linux distributions, for the time being 
AppArmor is available only for SUSE Linux and SUSE Linux 
Enterprise. The rest of this article, therefore, is necessarily spe- 
cific to SUSE. I’m scratching only the surface here. For detailed 
information on how to configure and use AppArmor, see 
the AppArmor Admin Guide Using Yast, whose path is 
/ust/share/doc/packages/subdomain-docs/ug_apparmor.pdf, 
provided you've installed SUSE’s subdomain-docs package. 
Note: prior to being acquired by Novell, AppArmor 
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previously was called Immunix SubDomain. Many of 
AppArmor's filenames and package names still include 
the word subdomain. 

AppArmor has its own YaST module, called Novell 
AppArmor (Figure 1). As you can see, most of the applets in 
this module deal with creating and managing AppArmor 
Profiles. Each application protected (confined) by AppArmor 
must have its own AppArmor profile. Profiles can be created 


You can identify all the commands and demons on your system bit on any root-owned executable unless it’s absolutely necessary, so 
that are both owned by root and have their setuid bit set (that is, modern versions of Linux distributions tend to be very sensible in 
that run with a user ID of root no matter who actually executes this regard. Still, you may be surprised by what you find. 


them), with a single command: 


One more handy command, this one peculiar to AppArmor, is 


find / -user root -perm -4000 -print unconfined. When run without arguments from a command 

prompt, this command lists running network deemons that are not 
As with any other find / command, this takes a few minutes to protected by AppArmor. You must be root, and AppArmor must be 
complete, but the output hopefully will be a short list. In the enabled, for the unconfined command to work. 


Internet-connected era, it's very bad form indeed to set the setuid 
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contents of another file in 
this profile at load time. 
Hat 

Add a sub-profile for this 
profile — called a Hat. This 
option is analagous to 
manually creating a new 
profile, which can 
selected during execution 
only in the context of 
being asked for by a 
changehat aware 
application. For more 
information on changehat 
please see man 
changehat on your 
system or the Novell 
AppArmor User's Guide. 


Delete Entry: 
Removes the sclected 
entry from Lhis profile. 


Figure 3. AppArmor 
Profile for httpd2 
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manually or by using the Add Profile and Update Profile 
Wizards or with the Manually Add Profile applet. 

The AppArmor control panel is used to enable and disable 
AppArmor and to enable, configure and disable AppArmor 
security event notification. Important note: any time you 
enable AppArmor manually, you must restart every AppArmor- 
protected application (simply rebooting is your safest bet). An 
application must start while AppArmor is already running in 
order to benefit from its protection. Obviously, if AppArmor is 
enabled at boot time, you don’t need to worry about this. 

Two types of applications are particularly important to 
protect: programs that run setuid root (that is, run with root's 
privileges) and network applications. AppArmor comes precon- 
figured with profiles for a variety of setuid-root programs and 
network applications, including Apache, ping, Firefox, Opera, 
Evolution, sshd, Id, Postfix, Squid and Ethereal. 

Figure 2 shows the ping default profiles. As you can see, it 
consists of #include statements that reference the contents of 
other profiles, access controls on POSIX capabilities (setuid, kill, 
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sys_boot and so forth) and file access controls. 

There's actually a fourth element that Web server profiles 
may contain—hat definitions. Figure 3 shows part of the 
profile for httpd2 (Apache 2). The entries at the top of the 
profile that begin [+] are hats. A hat is simply an embedded 
profile, a sub-profile, if you will. Only profiles for hat-aware 
applications can have hats, and even at that, you must have 
SUSE’s libimmunix and mod-change-hat packages installed 
for hats to work. 

The most common use of hats is for Web applications that 
are run without actually being part of httpd daemons. Figure 4 
shows the contents of just such a hat, corresponding to a 
guestbook application on my Web server. The index.php script 
referenced in Figure 4 mainly needs read access to some files, 
but it also needs to both read and write to the guestbook file 
itself (book.gb) and also Apache's access log (access_log). 

If this seems confusing, don’t worry. It’s seldom necessary 
to create profiles (let alone hats) manually. On many systems, 
you won't need to create new profiles at all—periodically 
running the AppArmor Update Profile Wizard when things 
don’t work as expected may suffice. This wizard scans 
/var/log/messages for AppArmor-generated error messages 
and allows you to update the corresponding AppArmor 
profiles accordingly (either to allow or continue to 
disallow the event that triggered each error). Where 
appropriate/applicable, Update Profile Wizard even will 
create new hats, again assuming you've installed the 
libimmunix and mod-change-hat packages. 


How to Create a New Profile Quickly 

If you need to create a new profile from scratch, there 
are several ways to do so, all explained in detail in the 
aforementioned Admin Guide Using YaST and also 

in the AppArmor Advanced User's Guide (/usr/share/ 
doc/packages/subdomain-docs/adv-ug-apparmor.pdf). 
Here, however, is the easiest method: 


1. Run the Add Profile Wizard, being sure to specify the full 
path to the program you want to protect when prompted 
for the application name. You will be prompted to run 
the program, during which time AppArmor runs in 
“learn” mode, and builds a profile by observing the 
application’s behavior. 


2. After the Add Profile Wizard closes, restart your application 
(if a demon) and test it as thoroughly as possible. If 
everything works properly, you're done. 


3. If anything failed in the previous step, run the Update 
Profile Wizard. Based on your answers to the Wizard's 
prompts, the AppArmor profile you just created (plus 
any other applicable profiles) will be updated. 


4. Repeat steps two and three until the application works the 
way it did before you created its AppArmor profile. This 
may take more than two iterations. 


That's basically it! The excellent documents in /usr/share/ 
doc/packages/subdomain-docs explain not only the above 
procedure, but also how to use the Add Profile Manually 
applet and even how to create profiles from scratch using 
your text editor of choice. 


Miscellaneous Notes 

Before | close this month’s column, | leave you with a couple observa- 
tions based on my experiences tinkering with AppArmor over the past 
couple of months. First, | must stress the importance of having a 
healthy local logging facility. As you can see, AppArmor relies heavily 
on /var/log/messages not only for providing you with a good audit 
trail, but also for providing its own wizards with crucial configuration 
intelligence. Therefore, if you have a customized system logger, make 
sure that there’s at least a symbolic link from /var/log/messages to 
wherever your subdomain messages end up. 

For example, on my chrooted syslog-ng installation, my subdomain 
messages are written to /var/syslog-ng/var/log/messages. Before 
AppArmor would work properly on this system, | had to create a sym- 
bolic link from /var/log/messages to this location. | also had to edit 
/etc/logrotate.d/syslog so that the “real” messages file would be rotated 
when too large or old; otherwise, the symbolic link was destroyed by my 
logrotate cron job. (Obviously, | should have updated logrotate.d/syslog 
already, back when | configured syslog-ng—by the time | got around 
to this, /var/syslog-ng/var/log/messages had grown to an embarrassing 
and unwieldy size.) 

Also, | should point out that, just like all of YaST’s modules, you 
don't need to be running the X Window System to run the Novell 
AppArmor YaST applets. You shouldn't be running X on Internet- 
connected servers, both because it’s almost never necessary and 
because X has a very rich history of so-called local privilege 


escalation vulnerabilities. It may seem tempting to ignore such 
vulnerabilities if you're worried about non-local attackers, but “local” 
is a usually a misnomer. If attackers gain shell access via, for example, 
a buffer-overflow attack against some network dzmon, they often 
can exploit so-called local privilege escalation vulnerabilities to 
promote themselves to root. 

| hope you'll forgive me, therefore, for using attractive screenshots 
of the X version of YaST in this article—l assure you that the content 
and functionality is identical in the text-only versions of these applets. 
Finally, a tip—in the course of repeatedly running the Update 
Profile Wizard to make my guestbook PHP script work, AppArmor 
for some reason forgot I'd dealt with two particular events in 
/var/log/messages and prompted me over and over about these two 
events. The problem went away when | manually deleted the corre- 
sponding lines in /var/log/messages, and | haven't experienced that 
particular anomaly since. The problem may have had more to do with 
my weird syslog-ng behavior than with anything in AppArmor, but 
| mention it in case you experience anything similar. AppArmor’s log 
messages always contain the string SubDomain.m™ 


Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for one of the US's largest 
banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building 
Secure Servers With Linux), an occasional presenter at information security conferences and composer 
of the “Network Engineering Polka”. 
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No Shoes, No Shirt, 


No Problem! 


Separating the truth from fairy tales about pony tails. 


| like seaside bars and restaurants, particularly those 
that are right on the beach. You are walking along the sand, 
right at the waterline, and when you crave a refreshing drink, 
you simply walk up, sit down and order one. You are proba- 
bly barefoot and bare chested (assuming you are a man, but 
in some places women too), and you enjoy the warmth of 
the sun on your face and body while you eat your meal and 
drink your beverage. “No shoes, no shirt, no problem!” 

There are a lot of restaurants in the United States, even 
those right on the beach with signs saying, “No shoes, no 
shirt, no service!” Whether this be an issue of health code, 
puritanical residuals or the fact that some people do not like to 
look at hairy bodies while they eat, | am not sure, but these 
signs show up in the most unlikely places, not just where you 
might expect them. 

| always have believed that if people do their jobs right, 
show enthusiasm, are respectful of other people and are rela- 
tively clean and free of body odor, that how they dress or wear 
their hair should be their own choice. Particularly their hair, 
because it is hard to cut and grow your hair due to a nine-to- 
five job schedule. A person could put on a suit or a tie if the 


sandals or pony-tails, but his off-hand remark was generated 
to show the lack of real business knowledge that goes with 
a lot of (not all) Free Software advocates and businesses. 
Many advocates of Free Software are programmers them- 
selves (or system administrators or people who have been 
in the computer industry for a long time), so the concept 
of going in and changing the software, tracking the 
changes, integrating the changes back into the original 
source code pool is not mysterious. What does seem to 
be mysterious is a lack of understanding about how large 
corporations (or even small businesses) really work. 

Likewise, the bulk of the business people making decisions 
today have never written a line of code, or if they did, it was 
back in their college days when they almost failed that “stupid 
programming course”. In fact, most business people would 
love not to have to worry about computers at all. This desire is 
what leads to the e-business advertisements by IBM and to 
“Business on Demand”. 

Business people do understand, however, that their busi- 
ness cannot survive in the relatively short run if they do not 
have any computer resources. Some businesses could not 


It seems to me that even with a larger number of people now involved with 
free software that the number of people actively having fun appears to be 
decreasing, or at least not increasing in the same proportions as users. 


occasion called for it, and | have done that from time to time. 
| even have a picture of me wearing a tuxedo aboard the first 
Linux Lunacy cruise. | think | looked rather dashing, but | still 
prefer to wear shorts and a T-shirt. 

In June 2000, Linux Journal had a rather ugly guy on the 
front cover, dressed in a suit, with a mirror in the background 
which showed his barefoot refection wearing shorts and 
T-shirt. The reflection was pointing at him with a combination 
of horror and dismay, but the message was that Linux was 
moving into the world of big business, and the “barefoot 
days” had to make a little room for the suits. 

Still, it amazed me recently when an IT manager who is 
an advocate of Free Software was in New Zealand for the 
Australian Linux User’s Group meeting and made the statement 
that part of the trouble with Free Software was that people 
went around talking about it with “sandals and pony-tails”. 

Of course, the press had a field day with this. | was still 
getting questions about it four months later at LinuxWorld 
Toronto, when a reporter for Report On Business, a cable TV 
show, brought it up in an interview. Fortunately, | had time 
both to talk to the manager who had made the comment and 
to formulate an answer, so | was ready. 

The manager, of course, has nothing against either 
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provide service with outages measured in seconds—catch-22. 

So, when the sandal wearers come up and say, “Free 
Software”, the business people say, “24-hour, seven-day-a- 
week-support”. The sandal wearers kind of shuffle their feet 
and go, “Well, maybe eight-hour, five-day-a-week.” The 
answer is not good enough. 

The business people say, “| need these applications”, and 
the sandal wearers tell them (with a wave of the hand but no 
concrete examples) that they can “do it all with thin clients 
and a Web site”. Not good enough. 

The business people say, “I need support in Hong Kong, 
Brazil, New York and Moscow”, and the sandal wearers offer 
them support in Silicon Valley. Not good enough. 

The business people say, “| need some type of road 
map to show me where Linux is going, so | can plan 
better.” The sandal wearers tell them to read the mailing 
lists. Not good enough. 

The business people say, “I need binary compatability 
between the distributions so | can protect my investment in 
software.” The sandal wearers tell them to do “everything 
in source”. Not good enough. 

The sandal wearers complain that the large companies 
do not support Linux up and down their product lines, not 


understanding the economics of how much it costs these companies to 
qualify the (several) distributions of Linux for which customers might ask. 

The sandal wearers have great ideas for doing business with Free 
Software, but no written business or marketing plan showing how the 
idea might be successful, and although it is true that a business and 
marketing plan does not guarantee success, it at least shows that you 
gave thought to it. 

These examples of lack of knowledge and understanding are what gets 
the Free Software community the image of being sandal wearers. 

So far, | have wailed on about the sandal wearers, but the suits 
also have their foibles. There are many examples of the suits not 
understanding the sandal wearers, or even trying to “let their hair 
down”. Although | will cover most of these in a later column, | think 
the most famous of these types of considerations was the casual 
Friday, where people were encouraged to come to work in more 
casual clothes. It was reported that one large company had to hire 
psychologists to help its middle management employees through their 
personal crisis of not wearing a suit. 

| often ask myself if the fun is disappearing in Free Software. 
| remember in the early days of Linux how we had fun at events like 
the Linux Expo and the Atlanta Linux Showcase. Paintball contests, hot 
sauce judging contests, a contest for designing a new desktop for 
Linux and other fun things in which the community could participate. 
It seems to me that even with a larger number of people now involved 
with Free Software that the number of people actively having fun 
appears to be decreasing, or at least not increasing in the same 


proportions as users. 

If there is one thing that Linus has taught me in my association 
with him, it is to strive always to have fun. There are, of course, days 
when you have more fun, and days that are not as much fun, but over 
all, it should be fun. Maybe if you are not having fun, you are really in 
the wrong business. 

[Speaking of fun, the 15th anniversary of the first Linux release of code 
is coming up in September 2006—we should all plan for some fun to help 
celebrate it.] 

So, although | will keep my suit pressed for those more formal pre- 
sentations and cruise-ship parties, maybe | will keep my beard and long 
hair to remind me to have fun. On the other hand, maybe | will not 
totally put away my sandals, but | will polish my wing-tips while continu- 
ing to learn what businesses need to function and help the Free Software 
community supply those things to the business community. | will try even 
harder to walk that line between sandals and pony-tails and suits. 

In the meantime, you will find me at the Alideia dos Piratas, digging 
my toes in the sand and having a drink with the warm sun shining on 
my back.m@ 


Jon “maddog” Hall is the Executive Director of Linux International (www.li.org), a nonprofit association of end 
users who wish to support and promote the Linux operating system. During his career in commercial computing, 
which started in 1969, Mr Hall has been a programmer, systems designer, systems administrator, product manager, 
technical marketing manager and educator. He has worked for such companies as Western Electric Corporation, 
Aetna Life and Casualty, Bell Laboratories, Digital Equipment Corporation, VA Linux Systems and SGI. He is now an 
independent consultant in Free and Open Source Software (FOSS) Business and Technical issues. 
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Progress Report toward 
Independent Identity 


Silo-free identity systems begin to emerge and converge. 


Last September's cover story examined the Identity 
Metasystem, proposed by Kim Cameron and his team at 
Microsoft, in support of personal identities that are inde- 
pendent of any vendor's silo. Microsoft's inaugural member 
of the Identity Metasystem is an identity selector called 
InfoCard and is due for inclusion in Vista when that operating 
system arrives in 2007. (It will be back-implemented for XP 
as well.) 

Since then, the Identity Gang has grown in number, and 
it has held a series of meetings and workshops where 
progress has been dramatic and encouraging. In a meeting 
at Harvard in December 2005, Paul Trevithick of Social 
Physics introduced Higgins, a framework for building user- 
centric identity-enabled services. At the Internet Identity 
Workshop in January 2006 in Berkeley, creators of OpenlD, 
LID and XRI/XDI joined various pieces to create Yadis: a 
new and simple combined lightweight identity system. At 
the Mountain View IIW in May 2006, a large conference 
room was packed with participants from Red Hat, Higgins, 
Identity Commons, XRI/XDI, the IETF, LID, Novell/SUSE, 


Why, other than adherence 
to principles of niceness, 
are all these projects 
working to keep things 


from breaking as they grow 


in converging directions? 


VeriSign, Tucows, OpenID and other interested parties, to 
engage Kim Cameron and Mike Jones of Microsoft—and to 
talk about open-source implementations of InfoCard. 

That conversation has since been formalized in a series 
of phone calls and a mailing list called OSIS (Open Source 
Identity Selector). A report on the first of the weekly OSIS 
conference calls began with this: 


We reaffirmed that the initial goal of the project is 
to build InfoCard selector implementations for non- 
Windows platforms that are compatible with the 
Microsoft implementation, with targets possibly 
including GNOME, KDE, Mac and mobile devices. 


We agreed that the goal is to move quickly, enabling 
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deployment of interoperable implementations by the 
time that Windows Vista ships. 


Since then, progress has been so rapid and varied (within 
and between different participants) that it's hard to follow 
exactly what's going on. When | asked Paul Trevithick to 
summarize it for Linux Journal readers, he wrote back: 


The situation is extremely fluid. The Red Hats, 
Novells, independents and others are all bouncing 
around trying to understand what's really going on. 


There are now at least three efforts afoot that as 
either a total or a partial goal include creating an 
open-source capability to interoperate fully with 
Microsoft's InfoCard system and especially the specific 
ways that it uses WS-Trust and related protocols: 


1) OSIS: effort appears to be defined as a clone of 
Microsoft's InfoCard software but for Mac and Linux. 


©iStockphoto.com/Digitalvisions 


2) Higgins: one of the highest priorities is to provide full interop- 
erability with Microsoft's InfoCard and thereby to provide equiva- 
lent functionality on non-Windows platforms. (Higgins also has 
goals that are beyond authentication and security, and it will 
support other protocols.) 


3) The UNC Lab of Information Integration, Security and Privacy 
Project (www.sis.uncc.edu/LIISP) under Dr Gail-Joon Ahn, 
which was presented at IIW2006. 


..and there may be others. Kim has stated that Microsoft will 
provide technical support to any and all groups to enable them 
to achieve interoperability. 


Two additional points. First, Dr Ahn’s implementation is ready in 
advance of Microsoft's own. (To an enthusiastic reception by Microsoft 
folks at the May 2006 IIW, where the system was demonstrated.) 
Second, | know of at least one commercial InfoCard-compatible imple- 
mentation, which should be ready by the time this issue is published. 

Phil Windley, author of Digital Identity (O'Reilly, 2005) and an 
organizer of the Internet Identity Workshops, said: 


For us to have a metasystem, we need identity selectors for 

Linux desktops, Macs and other platforms. It’s impressive that 
the identity community accepts Kim Cameron’s vision—that there 
needs to be interoperability. It’s Kim’s political acumen that 
enables this. He just put out the Laws and said, “Here’s a system 
that obeys these, and it’s open.” It’s important that InfoCard isn't 
Microsoft Kool-Aid. If Microsoft stopped, all this other stuff 
could keep working. 


I've been impressed, all through this process, at how committed all 
these different development projects are to staying open toward each 
other, in the general directions where they might converge. For exam- 
ple, InfoCard and Yadis are solutions to different problems, yet there 
are design decisions both communities can make today that will be 
interoperable at some point in the future when their uses overlap. 

As we know too well, being open source doesn’t prevent market- 
halting incompatibilities and failures to interoperate. Why, other than 
adherence to principles of niceness, are all these projects working to 
keep things from breaking as they grow in converging directions? 

Phil Windley says there may be a couple of subtle reasons. First, 
“Sometime early last year, the competing participants got to the 
point where they said, ‘We don't have to be enemies. We can work 
together.’” Second: 


Some of the developers realized that relying parties—say, 

any Web site that has to rely on an identity credential from an 
identity provider—don’t have to support different systems. It's 
the identity provider—the Amazons and Googles and eBays of 
the world—that will have to play in all those systems, if they 
want to be in the game. They have the incentive, as well as the 
ability, to interoperate. If you're Amazon, and want your cus- 
tomers’ identities to be useful across a lot of Web sites, you 
have an incentive to interoperate. Now look at it the other way 
around. If the relying parties needed this, and not the identity 
providers, interop would always be “someday”. 


Instead, | think we're likely to see user-centric “independent” identity 
in widespread use sometime in the next two years.m™ 


Doc Searls is Senior Editor of Linux Journal. 
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Mandriva Kiosk 


Your valiant editor dithered a bit on whether to include 
this item, the Mandriva Kiosk service, thinking it more at 
home in TUX, our sister publication for the Linux desktop. 
As you can see, the desktop enthusiast in me cannot be 
subdued! According to the company, Mandriva Kiosk is 
“a Web-based one-click software installation service” that 
offers “access to the latest versions of the most popular 
applications through a simple installation process”. 
Packages with multiple dependencies, such as 
KDE and GNOME, are aggregated into bun- 
dles and treated as a single entity from the 
user's perspective. Although the initial 

range of available applications is a bit > 
sparse, the offering will presumably 

grow over time. Although many of you 

may balk, arguing that you lose valuable 
control of your system, | call on your inner 
evangelist. Have you not a mother-in-law you wish to lure 


away from the dark side? Subscriptions to Mandriva Kiosk 


start at 29.90 EUR (around $38 US) per year. Only newer 
releases of Mandriva Linux are supported. 


kiosk.mandriva.com 


AccuSoft's VisiQuest 


Those in our community involved in data and 
image analysis—researchers, scientists, engineers 
and educators, among others—will be interested 
in the latest update to the VisiQuest software 
application from AccuSoft. VisiQuest’s raison 
d’étre is to perform complex image and data 
analysis tasks using visualization. The latest 
release, per AccuSoft, features a “toolbox with 
60 additional functions for image registration and 
segmentation tasks”. Included therein is a plethora 
of new functions or “glyphs” that help solve the 
challenge of mapping data of a rotated image to 
a fixed image. What's more, users can utilize 
these glyphs in a drag-and-drop environment 
without the need for proprietary programming 
languages; users can also roll their own glyphs in 
C, C++ or Perl. In addition, AccuSoft announced 
a price reduction and a new, bundled purchasing 
option. Supported platforms include Linux, Mac OS, 
Windows and UNIX. 


www.accusoft.com 


Kiosk 


Freedom is a simple choice 


Mark Sobell’s A 
Practical Guide 
to Red Hat Linux: 
Fedora Core 
and Red Hat 
Enterprise Linux, 
3rd Edition 


Good golly, so many wonderful Linux 
books, so little time! We hope to better 
use this space to tell you what's hot off 
the press and perhaps worth a further 
look. Now, it is a good sign if, in today’s 
competitive market, a book makes it into 
a 3rd edition, which is the case with 
Mark Sobell’s A Practical Guide to Red 
Hat Linux: Fedora Core and Red Hat 
Enterprise Linux. The publisher, Prentice 
Hall, describes the book like so: “In 28 
chapters, this book takes you from 
installing a Fedora Core (updated for 
Fedora Core 5) or Red Hat Enterprise 
Linux system through understanding its 
inner workings to setting up secure 
servers that run on the system, as well as 
working with GNOME, KDE, Samba, 
sendmail, Apache, DNS, NIS, and 
iptables.” This new 3rd Edition includes 
beefed up info on system administration, 
security issues, networking and server set 
up. The publisher also notes how Sobell 
“knows every Linux nook and cranny”, 
indicating that this book is especially 
comprehensive. A Practical Guide spans 
nearly 1,100 pages and includes a DVD 
with the full Fedora Core 5 OS. 


www.phptr.com/title/0131470248 


“This oo Went bene! far cereus mares Linen 
speares © eo reteerea! 


‘A Practical Guide to 


Red Hat Linux 


Please send information about releases of Linux-related products to James Gray at newproducts@ssc.com or New Products c/o Linux Journal, 


1752 NW Market Street, #200, Seattle, WA 98107. Submissions are edited for length and content. 
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Xeon 5OOO/S100 server Sotutions 


2 - Multiple-Core -64GB FBD Memory 
ST er ] ich 
Li th TTT : High Efficiency Power 


5 P Z\N( SuperServer 7045B-3_) 
SuperServer 6025B-8R+ 
ULE SuperServer 6015B-8+ eae Supetcerver V Dual Intel®Dual-core Xeon" 5000/5100 sequence 
v Dual Intel®Dual-core Xeon™ 5000/5100 sequence v Dual Intel®Dual-core Xeon™ 5000/5100 sequence v SUPER®® X7DB3 /Intel 5000P/1333MHz 
v SUPER®®X7DBR-8+ /Intel 5000P/1333MHz v SUPER@® X7DB8+ /Intel 5000P/1333MHz v Up to 32GB fully-buffered DIMM (FBD) 
v Up to 64GB fully-buffered DIMM (FBD) v Up to 64GB fully-buffered DIMM (FBD) v 3PCI-X 133/100, 2 PCI-E x8 &1 PCI-E x4 
v 1 PCI-X 133 or 1 PCI-E x16 or 1 PCI-E x8 v 3PCI-X 133/100, 2 PCI-E x8 &1 PCI-E x4 v Adaptec controller for 8 SAS/SATA ports 
v Adaptec dual-channel U320 SCSI v Adaptec dual-channel U320 SCSI v AOC-LPZCR2 (Zero-channel RAID) support 
v AOC-LPZCR2 (Zero-channel RAID) support v AOC-LPZCR2 (Zero-channel RAID) support v ATI 416MB Graphics 
v ATI 146MB Graphics v ATI 16MB Graphics v Dual Gigabit LAN ports 
v Dual Gigabit LAN ports v Dual Gigabit LAN ports v 8x 3.5" hot-swap SAS drive bays w/SES2 
v 4 hot-swap SCA drive bays w/SAF-TE v 8hot-swap SCA drive bays w/SAF-TE v 90° rotatable module: 2 USB ports, FDD & 2 drives bays 
v 1slim floppy & 1 slim DVD-ROM drive v 1slim DVD-ROM drive, optional USB ports & FDD .; : : : 
a } , V_ 700W high-efficiency powen eee ea Vv ‘es cooling RESISTING 6 fans & air shroud 
700W high-efficiency power supply w/I* C ‘ ¥ 1slim DVD-ROM drive & FDD 
V 4 fans wioptimal fan speed control eee. Wap cooling aay v 650W redundant cooling fan w/l2C 
V_ IPMI 2.0 with virtual media over LAN & v_ IPMI 2.0 with virtual media over LAN & Vv IPMI 2.0 with olrite lmeniotcveR DAN 
i bs x) optional KVM-over-LAN support : 
optional KVM-over-LAN support P optional KVM-over-LAN support 
AMAX Corp. Arrow Electronics ASI Bell Micro. Ingram Micro MA LABS Synnex Inc. Tech Data 
1-800-800-6328 1-888-427-2250 1-800-2000-ASI 1-800-232-9920 1-800-456-8000 1-408-941-0808 1-800-756-5974 1-800-237-8931 
www.amax.com www.arrownacp.com www.asipartner.com www.bellmicro.com www.ingrammicro.com www.malabs.com www.synnex.com www.techdata.com 


© 2006 Super Micro Computer, Inc. Specifications subject to change without notice. All other brands and names are the property of their respective owners. Intel, the Intel Logo, ntl Inside, the Intel Inside logo Intel Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries inthe United States and other countries 


NEW PRobuCTS 


UBUNTU 
HACKS 


Tips & Tools for Exploring, 
Using, and Tening Linux 


Bill Childers, 
Jonathan Oxer 
and Kyle Rankin’s 
Ubuntu Hacks 
(O'Reilly Media) 


Yes, dear Reader, ye 


another book, 


based on the mildly presumptuous 


assumption that you 
as |. If the Ubuntu di 
you'll be happy as a 
avalanche of great U 


love them as much 
stro is your fancy, 
clam, for an 

buntu books hits 


booksellers this summer and autumn. 


Naturally, | must inse 
for my friend and fe 


rt a shameless plug 
low LJ editor, Marcel 


Gagné, whose title Moving to Ubuntu 


Linux should be avai 


able sometime 


around now. However, the focus of this 


blurb is a title from 7 


im O'Reilly's library, 


namely Ubuntu Hacks from the trio of Bill 
Childers, Jonathan Oxer and Kyle Rankin. 
All three authors are self-described “pas- 
sionate Ubuntu and Kubuntu users”. The 
book is timely because, without a doubt, 
Ubuntu is far and away the hottest distro 
out there and one of the most active 
hubs of Linux-based innovation. Ubuntu 
Hacks is meant to whet the appetite of 
rue hackers, those whom the authors 
describe endearingly as “creative, having 
he technical chops to get things done.” 
Regardless of your level of expertise, the 
‘olks at O'Reilly Media say that this book 
will challenge you. It contains more than 
100 different hacks, that is, creative ways 
o get the most out of your Ubuntu 
system, ranging from the basics through 
‘0 mobile computing, X11 tweaks, virtu- 
alization and emulation, SOHO-level 
servers, security and more. 


www.oreilly.com 


Jitterbit’s ae 


Open-Source — 
. =r 
Integration > Ba 
4 2 : rome 
Application = 
Imagine you're a small nontechnical retailer who = 
wants to integrate your internal systems with an eBay r— 


i 
if 
] 


on-line store. What do you do? One option is to hire 
a team of coders and developers to do the job. 
Jitterbit aims to make that solution superfluous and 
allow you to accomplish complex integrations on your 
own—all via drag and drop and without coding. The 
Jitterbit open-source integration application can be 
used to connect data from ERP and CRM applications, 
data warehouses, on-line marketplaces and so on. Some of the supported formats are Web services, XML, 
HTTP/S, FTP, ODBC, flat and hierarchic file structures and file shares. Customers can choose between 
wo different editions: a free, community-supported edition and a professional edition, complete with 
enterprise-level support and services. The Jitterbit Community Edition for Linux or Windows is available 
or free download at the company’s Web site. 


Tit 
rior 


www.jitterbit.com 


2X's ThinClientServer 


2X wants to bring joy to managing your Windows 
desktops by turning them into Linux ones—without 
users suspecting a thing! The company’s 
ThinClientServer, just upgraded to Version 3, is a 
tool for centrally managing your network's desktops 
via thin client—that is, both existing “fat” PCs and 
thin-client devices from any vendor. 2X’s approach 
is to deploy a secure, self-updating, small-footprint, 
Windows-mimicking Linux desktop to each client, 
which allows for central administration (Active 
Directory, LDAP) of users’ connection and device 
hardware settings (RDP/ICA/NX, screen size and so 
orth), as well as which Windows apps are available. 
Windows apps are tunneled to clients either via the 
irm’s application server or Citrix Metaframe. The 
upshot, says 2X, is that you avoid the technical and 
inancial hassles of Windows; desktop administra- 
ion is simplified (backup, updates and patching 
and so on); and unauthorized use of removable 
media is impossible. A free, five-client version can 
be downloaded from 2X's Web site. 


www.2x.com 
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Penguin Computing’s 
Relion 1600 and 
2600 Servers > 


Penguin Computing recently expanded its line 
of Relion servers, which it targets at customers with 

memory/CPU-intensive, highly scalable, high-performance computing needs. The Relion 1600 (1U) 
and 2600 (2U) servers offer the option of up to two of Intel’s new Dual-Core Intel Xeon 5000-series 
processors per server and integrate the most up-to-date Intel server technologies for improved 
performance. The result, according to Penguin's people, is “twice the speed as previous designs 
within the same power and space parameters”, as well as reduced operating costs due to “cooler, 
more economical performance and greater workload capacity with dynamic, instantaneous CPU 
performance scaling.” These improvements are possible due to Intel’s Demand Based Switching 

and SpeedStep technologies, which provide dynamic scaling of CPU performance depending on the 
application's workload. In addition, they enable automatic switching from full, dual-core, dual-CPU 
utilization to a bare minimum level of power consumption when idle. Relion servers support Red Hat 
or SUSE Linux operating systems. 


www.penguincomputing.com 
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PGI 


Compilers 


are building 
the 64-bit 


applications 
infrastructure. 


PGI Fortran, C and C++ compilers deliver world-class performance on a 
wide spectrum of 64-bit scientific and engineering applications. With PGI 
you get an easy-to-use integrated suite of dual-core and MPI-capable 
compilers, debugger, and profiler to simplify porting and tuning of 64-bit 
applications for AMD64 and EM64T processor-based workstations, 
servers and clusters. With comprehensive cross-platform support for Linux 
and 64-bit Windows operating systems on both Intel and AMD processors, 
PGI delivers a uniform development environment across your key target 
systems. The leading independent software vendors in structural analysis, 
computational chemistry, computational fluid dynamics, and automotive 
crash testing have chosen PGI compilers and tools to build and optimize 
their 64-bit applications. 


Visit www.pgroup.com to learn what PG! Compilers and Tools 
can do for you. 


~~ The Portland Group 


www.pgroup.com ++ 01 (503) 682-2806 
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The Ultimate 
Do-It-Yourself Linux Box 


Start with the ultimate AMD64 motherboard and build on it to create a masterpiece of your own. 


Some of us just like to do it ourselves. There's something uniquely satisfy- 
ing about selecting every component in a system. It allows you to balance 
the exact price/performance trade-off that suits you best. Do-it-yourself is 
also one of the best ways to ensure that you have a system that won't 
become obsolete within six months. For example, most AMD64 mother- 
boards support only 4GB of RAM, but our favorite board supports up to 
8GB of RAM. We may never upgrade it to the full 8GB, but it’s nice to 
have that room for expansion. You may not get that kind of room for 
expansion with a pre-made system. 

For those with little patience, we'll get right to the bottom line. Our 
favorite do-it-yourself combo includes the following: 


» Motherboard: ABIT AN8 32X 939 
>» Processor: AMD64 4200+ Athlon X2 
> Power supply: Silverstone SST-ST65ZF 650 Watts 


>» Memory: two sets of Corsair 1Gx2 TWINX2048-3200PRO modules 
(four total) 


>» Video cards: matched pair of eVGA GF 7900GT 256 (NVIDIA SLI) 
> Case: Silverstone TJO7-S 


> Hard drives: 2x Seagate Barracuda 300GB 7200 RPM 8MB cache SATA 
3.0Gb/s 


DVD R+W: Plextor PX-716AL/SW SATA 
Monitor: Samsung LCD 204B 20.1" 


Keyboard: Logitech Cordless Comfort Duo (includes mouse) 


vvev yv 


Logitech G7 Laser Cordless mouse 


The above list includes the G7 Laser Cordless mouse simply because 
that is what we ended up using, but we do not include it in our price lists. 
Your choice of keyboard and mouse are more personal than just about 
anything else on your system (save, perhaps, your monitor). We like the 
keyboard in the Logitech Cordless Comfort Duo but not the mouse. So we 
replaced the mouse with a Logitech G7 Laser Cordless mouse. We don’t 
assume any of you are going to do the same, so we don’t make a fuss 
about keyboards and mice in this do-it-yourself system. 


THE DO-IT-YOURSELF GOAL 

Our goal for the do-it-yourself system was to create a high-powered Linux 
desktop without breaking the bank. Bang for the buck was our motto. We 
created a powerful system with components that often fell just below the 
big price breaks, after which you tend to pay a lot more for only minimal 
performance gains. In addition, we opted for a fan-based enclosure instead 
of a more expensive (and usually harder to install) liquid-cooling system. 


We also include an alternate budget-minded system. Our do-it-yourself 
budget system is still pricey, but it delivers a lot of power at a considerably 
lower price than our favorite configuration. 

One very important consideration in our choices was, will this work 
with most Linux distributions “out of the box”? We installed Debian, 
Ubuntu/Kubuntu, Fedora Core 5, SUSE 10 and Mandriva on our do-it- 
yourself system. All of these distributions ran without any trouble and 
without the need for any additional drivers or special driver management. 
(We did, however, use the proprietary NVIDIA drivers, not out of necessity, 
but in order to make use of the SLI features of the motherboards.) We also 
ran Knoppix, MEPIS and Kanotix live CDs without problems. 


MOTHERBOARD 

We chose to configure our do-it-yourself system around the ABIT AN8 32X 
939 motherboard and an AMD64 4200+ Athlon X2 (dual-core) processor. 
We chose the AMD64 4200+ based on price. By the time you read this, 
AMD will have lowered the prices on its line of dual-core processors, so you 
can get more CPU bang for the same bucks than we did. We used two sets 
of matched pairs of Corsair memory modules (1Gx2 TWINX2048-3200PRO) 
for a total of 4GB in four slots in dual-channel mode. 

The motherboard is the foundation of any do-it-yourself system. We 
looked at three motherboards, all based on socket 939 AMD64: the ABIT 
AN8 32X, MSI KN8 Diamond Plus and ASUS AN832-SLI Deluxe. All three 
motherboards sell for around $200 US or less, depending on your source. 
The price difference is not significant enough to choose one over another. 
All of these motherboards support socket 939 dual-core AMD64 chips and 
dual-channel memory. All of the motherboards support two video cards 
configured in SLI mode. We tested the boards with two eVGA GeForce 
7900GT video cards configured for SLI. 

You aren't likely to be disappointed with any of these motherboards. 
The MSI comes with the Creative Sound Blaster Audigy system integrated 
on the motherboard, so Audigy fans will love the MSI. Both the MSI and 
ASUS boards include two LAN ports vs. one port on the ABIT. So if you 
want two LAN connections, the MSI or ASUS could be the board for you. 

However, it is easy to add network cards and sound cards to mother- 
boards. Despite the fact that the memory controller for the AMD64 is on 
the chip itself, not the motherboard, it is not possible to force a mother- 
board to support RAM differently than intended—at least it is impossible 
to make a motherboard support 8GB of RAM if it is designed to support 
AGB or even just 3GB in practice. That is why we felt the ABIT trumped the 
other boards in the long run. It takes better advantage of the memory 
addressing capability of the AMD64 processor than the MS! or ASUS. The 
ABIT motherboard supports up to 8GB of RAM. The MSI and ASUS boards 
say they support up to 4GB of RAM, but they seem to be designed with 
32-bit Windows XP in mind, and therefore use only up to 3GB of RAM by 
default, even if you have 4GB installed. The AMD64 version of Linux saw 
only 3GB of usable RAM on the MSI and ASUS boards. Although it may be 
possible to make all 4GB visible to Linux on the ASUS and MSI boards by 
playing with BIOS settings, the ABIT saw all 4GB without any BIOS modifi- 
cations. (The MSI manual implies that it is not possible to make more than 
3GB visible on that motherboard, but we did not attempt to prove or 
disprove the implication.) 
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> THE ULTIMATE DIY LINUX BOX 


FAVORITE SYSTEM, 
NOT INCLUDING MONITOR, 
KEYBOARD OR MOUSE 


Motherboard: ABIT AN8 32X 939 ($200 US) 
Processor: AMD64 4200+ Athlon X2 ($360 US) 
Power supply: Silverstone SST-ST65ZF 650 Watts ($170 US) 


Memory: two sets of Corsair 1Gx2 TWINX2048-3200PRO modules 
(four total) ($500 US total) 


Video cards: pair of eVGA GeForce 7900GT 256MB (NVIDIA SLI) 
($678 US) 


Case: Silverstone TJO7-S ($365 US) 


Hard drive: 2x Seagate Barracuda 300GB 7200 RPM 8MB cache 
SATA 3.0Gb/s ($200 US) 


> DVD R+W: Plextor PX-716AL/SW SATA ($150 US) 


TOTAL: $2,623 US (not including monitor, keyboard or mouse) 


ALTERNATE BUDGET 
CONFIGURATION, 
APPROXIMATE PRICES 


Motherboard: ABIT AN8 32X 939 ($200 US) 
Processor: AMD64 4200+ Athlon X2 ($360 US) 
Power supply: Enermax ELT500AWT 500 Watts ($100 US) 


Memory: one set of Corsair 1Gx2 TWINX2048-3200PRO modules 
(four total) ($250 US total) 


Video card: eVGA GeForce 7900GT Signature 256MB ($360 US) 
Case: Thermaltake Tsunami VA3000BWA ($100 US) 


Hard drive: Seagate Barracuda 300GB 7200 RPM 8MB cache 
SATA 3.0Gb/s ($100 US) 


> DVD R+W: PX-750A ATAPI ($60 US) 


TOTAL: $1,530 US (not including monitor, keyboard or mouse) 


We populated the ABIT with four 1GB RAM modules, for a total of 
AGB. If you run 32-bit Linux, you should still be able to use all 4GB of 
RAM. A properly configured 32-bit Linux kernel will map the RAM such 
that a portion of it goes to the kernel and the rest goes to user space. 
Linux splits up the RAM depending on how you have compiled the kernel 
(or how it is precompiled on your distribution). 

All of these boards have one more unexpected memory quirk. When 
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you populate all four RAM slots, the motherboard clocks back 
the memory. In our case, it clocked back our memory from 
400MHz to 333MHz. This happens regardless of the memory size 
of the modules you use. The motherboards will clock back the 
RAM based on the fact that you have populated all four slots, 
not based on the total RAM in the system. 

Again, it should be possible on all of these motherboards to 
adjust the BIOS settings to reset the clock speed back to 400. 
The BIOS on one board may make it more difficult to do so than 
on another, but by the time we addressed this issue, we already 
were sold on the ABIT. We were able to change the clock speed 
back to 400 on the ABIT board very easily. We simply set the 
DRAM timing settings to run “By SPD” (by the speed of the 
modules). This reversed the clocking back of the RAM and set 
he speed back to 400. We haven't experienced any instability at 
his speed, so it appears to be quite safe to make this change. 
Granted, you may not notice a performance improvement with 
he higher speed. When it comes to RAM, latency settings tend 
o affect performance more than speed. We did not risk chang- 
ing the latency settings to something other than the specifica- 
ions of the memory modules. 

At this point, you should ask yourself whether you really need 
AGB or more RAM. A total of 4GB could easily be overkill for 
many, if not most, users. If you think you will be content with 
ess RAM for the life of your system, that gives you more reason 
o consider the MSI or ASUS boards, because all three boards will 
handle two 1GB modules (for a total of 2GB) equally well. But if, 
ike us, you're a glutton for RAM, the ABIT is the clear choice, 
regardless of whether you run a 32-bit or 64-bit Linux system. 


POWER SUPPLY 


Never underestimate the importance of a good power supply for 
your do-it-yourself system, especially if you intend to use two 
video cards configured in SLI mode. You can experience all kinds 
of bizarre symptoms of instability if you underpower your system 
with an inadequate power supply. Don’t go for anything less 
than a 500-Watt power supply if you intend to use two video 
cards in SLI mode. Go even higher if you intend to add other PCI 
cards to your system. And, when you shop for power supplies, 
be careful to look for efficiency ratings. Some power supplies 
boast good peak output, but the sustained output can still be 
inadequate. 

There's almost no point in choosing a power supply based on 
its rated mean time between failures (MTBF), that is, how long it 
should last. We suspect these figures reflect how long the power 
supply lasts assuming the fan never fails. Unfortunately, power 
supply fans fail all the time. The power supply overheats, and 
kablooey, so much for the mean time between failure rating. 
Your mileage may vary, but we've had the best luck with 
Enermax power supplies and their fans. 

You will need a power supply with a 24-pin power connector 
to the motherboard for any of the motherboards we tested. You 
also will need a power supply with connectors for two video 
cards, so that you can use these motherboards in SLI mode. We 
chose the Enermax ELTS00AWT 500-Watt power supply for our 
system. It sells for about $100 US, depending on your source. 
We also used a Silverstone SST-ST65ZF 650-Watt power supply 
for a similarly configured system. It sells for about $170 US, 
depending on your source. We've had these power supplies only 
for a few weeks at the time of this writing, but they both work 
well so far—knock on wood. 


CASE 

We pulled out all the stops when it came to a case for our Ultimate Do-lt- 
Yourself System. We chose the Silverstone TJO7-S case, which sells for 
about $365 US, depending on your source. This is quite expensive for a 
case, but it is worth the investment. First, the thing is huge. It’s larger than 
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> THE ULTIMATE DIY LINUX BOX 


FAVORITE SYSTEM 
WITH ACCESSORIES 


Motherboard: ABIT AN8 32X 939 ($200 US) 
Processor: AMD64 4200+ Athlon X2 ($360 US) 
Power supply: Silverstone SST-ST65ZF 650 Watts ($170 US) 


Memory: two sets of Corsair 1Gx2 TWINX2048-3200PRO modules 
(four total) ($500 US total) 


Video cards: Pair of eVGA GeForce 7900GT 256MB (NVIDIA SLI) 


($678 US) 
Case: Silverstone TJO7-S ($365 US) 


Hard drive: 2x Seagate Barracuda 300GB 7200 RPM 8MB Cache 
SATA 3.0Gb/s ($200 US) 


DVD R+W: Plextor PX-716AL/SW SATA ($150 US) 


Monitor: Samsung LCD 204B 20.1" 1600x1200 ($400 US) 


Keyboard and mouse: Logitech Cordless Comfort Duo ($75 US) 


TOTAL: $3,098 US 


any tower case we've ever tried. This gives you tons of room to work when 
you insert cards and cable the system. On the other hand, if you're looking 
for a case you can place on top of the desk instead of beside it, this is 
definitely not the case for you. 

The hard drives are tucked away in two separate removable compart- 
ments, and each compartment is cooled with its own separate 120mm 
fan. It has two more 120mm fans at the top of the case, and two rear 
92mm intake fans. The case is remarkably quiet, considering it has six fans, 
not including the CPU fan, power supply fans and so forth. All this ventila- 
tion keeps everything very cool without having to invest the time and 
effort in creating a liquid-cooled system. 

The case has a flip-down front accessory panel with connectors for 
audio, USB and FireWire. The panel is flush with the front of the case, so 
you simply press on the bottom of the panel to open it. Some people 
might be annoyed that there's no spring loading, no button and no catch 
for the panel, either in its open or closed state. We have no complaints 
with it though. 

The only way to press the reset switch is to use a wire tool, which you 
insert into a small hole in the front of the case. Some people will hate this 
feature, others will appreciate how it protects you from accidentally reset- 
ting your system. 

You can certainly find adequate cases for far less money, and some of 
them may even place things like the accessory jacks in more convenient 
locations. But, we found this to be a superb case primarily because of how 
easy it is to work inside it (thanks to its gigantic size) and superior ventila- 
tion without having to use liquid cooling. 

If you're going to go the budget route, there are so many decent cases 
from which to choose, we're hard pressed to recommend one over another. 
Each has its advantages and disadvantages. We chose the Thermaltake 
Tsunami VA3000BWA, which sells for just over $100 US at most outlets. 
It's not as high class as the Silverstone, and we found it frustrating to get 
the DVD drive installed, but it’s a fair case for the price. It has a flip-up top 
accessory panel. People who leave things on top of their computer case 
will find this inconvenient, but the same must be said of the Silverstone 
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case, as it has top-mounted fans you can block by leaving 
manuals or other paraphernalia on top of the computer. 


VIDEO CARDS 

Yes, you can use two NVIDIA cards in SLI mode on Linux—if you 
don’t mind running the proprietary NVIDIA driver, which taints 
the Linux kernel. We chose a pair of eVGA GeForce 7900GT 
cards with 256MB of RAM. These cards are a great compromise 
between price and performance. The combination of cards totals 
at about $500 US, which is less than the price of a single NVIDIA 
7900 GTX card (about $570 US). eVGA sells basically the same 
cards with different clock speeds at different prices. For example, 
budget-minded folks can get a single eVGA GeForce 7900GT 
Signature 256MB (same basic model as the ones we used in SLI 
mode) with higher clock speeds for about $360 US. 

You obviously have more choices than eVGA when it comes 
to video card manufacturers. We chose eVGA for our examples 
simply because the company produces a large selection of prices 
and configurations of NVIDIA cards, which made it easy to pick 
cards to fit varying budgets. We've had good success with other 
brands as well. 

If you opt to use the NVIDIA proprietary drivers, you need to 
add the following line to your xorg.conf file: 

Option “SLi "Auto" 

We also recommend that you dig through the NVIDIA 
HOWTO to learn how to specify whether you're using a digital or 
analog connector. Some monitors like to guess which interface 
you're using for five seconds or so, which can cause annoying 
delays when you start your desktop. 


DRIVES 

You've got a wide range of drives to choose from, and good SATA drives 
are amazingly inexpensive. We chose two Seagate Barracuda 300GB 7200 
RPM drives with 8MB Cache. These drives are SATA 3.0Gb/s drives, so 
they’re fast, and all three motherboards can handle these types of drives. 
We chose two identical drives for RAID 0 configuration, which produces 
even faster disk access (though without any fault tolerance). You can pick 
just one of these if you’re on a budget. They go for about $100 US each. If 
you're not a fan of Seagate for any reason, you can get other brands of 
drives that work just as well for about the same price. 

Plextor offers a SATA DVD R+W drive, the PX-716AL/SW for about 
$150 US. This drive has the following write speeds: DVD+R at 16x, 
DVD+RW at 8x, DVD-R at 16x, DVD-RW at 4x, CD-R at 48x, CD-RW at 
24x, DVD+R DL at 6x and DVD-R DL at 6x. It offers read speeds at 16x 
DVD-ROM and 48x CD-ROM. Be careful when selecting a SATA-based 
DVD/CD drive, however. You can run into Linux installation problems if you 
choose a Linux distribution with a kernel configured such that it doesn’t 
recognize a SATA DVD/CD drive properly. 

We chose a Plextor PX-750A ATAPI drive for our budget combination, 
because it costs only about $60 US. You can find cheaper drives, but the 
less you pay, the noisier and more unreliable they tend to be. 


ACCESSORIES 


Of course, you will need, at the very least, a monitor, keyboard and mouse 
to have a complete system. We don’t make much of a favorite monitor, 
keyboard or mouse because your favorites will depend a great deal on 
your personal tastes. Some people like wide monitors; others don't. Some 
people like wireless keyboards; others don't. Some people like ergonomic 
design; others don’t. 
Our summary sample configurations do include a monitor, keyboard 
and mouse. We did so only to give you an idea of the total price you can 
expect if you are going to put together a complete system. Your total price 
probably won't change much if you choose a different keyboard or mouse, 
but monitor prices vary greatly depending on what kind of monitor you 
want. So, take our prices with a grain of salt. If you opt for a big, wide- 
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> THE ULTIMATE DIY LINUX BOX 


TIPS FOR DOING IT YOURSELF 


1) Mount your CPU carefully. The CPU 
itself is generally very easy to mount. 
The AMD64 is particularly easy because 
the pin locations prevent you from 
inserting it incorrectly (previous ver- 
sions of AMD CPUs prevented you from 
inserting the chip incorrectly too, but 
not as well as the AMD64). 


The CPU heat sink/fan combination can 
be anything from a breeze to a night- 
mare to install, depending on many 
factors. Some motherboards locate the 
CPU in awkward places, or place heat 
pipes and other components too close 
to the mounting bracket. Sometimes 
it’s just hard to get the heat sink 
mounted for no particular reason. 


There are lots of third-party CPU heat 
sinks and fans available. If you are 
going to use one, find one that mounts 
easily. Some of the best coolers require 
you to place a bracket beneath the 
motherboard, or even if they don’t, they 
are installed most easily before you 
mount the motherboard in the computer. 
Consider this possibility before you 
install the motherboard. 


2) Examine the layout of your case 
before installing anything. For example, 
in some cases (no pun intended), you 
may find that it is easiest to install the 
power supply first. Many cases place 
the power supply across from the loca- 
tion where your DVD/CD drive will go. 
It’s usually much easier to mount the 
drive after the power supply is installed 
than vice versa. If you install your drive 
first, you may find yourself having to 
twist and turn the power supply just to 
get it into a position where it will slide 
into place. If you’ve already installed 
other things, like your motherboard, 


screen monitor, you're obviously going to pay more. 

We chose for our example a Samsung 204B, because it has a fairly 
large screen (20"), good resolution (1600x1200), good contrast ratio 
(800:1) and an unusually fast response time (only 5ms). It’s a great monitor 
for work and gaming, at a good price—about $400 US. 

Extremely budget-minded people can go for something like the Acer 
AL1515, which is smaller (15"), lower resolution (1024x768) and much 
slower (16ms). This monitor can be good for work but terrible for gaming. 


But the price is much lower at about $150 US. 


As for keyboard and mouse, we chose two Logitech combinations, the 
Wireless Comfort Duo (about $75 US) and the wired Internet Pro (about 
$18 US). You have a lot of wiggle room here. You can get better key- 
boards and mice without having to spend a whole lot more money, but 
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this can lead to disaster, since the 
twisting and turning may scrape 
components on the motherboard. 


Another common problem occurs when 
you install your hard drives before you 
install add-in cards like your video card. 
Many cases place the hard drives 
directly across from the video card. We 
have actually had the experience where 
we had to move a hard drive to another 
slot in order to make a video card fit. 


3) Suck it in and blow it out. Mount 
your fans in such a way that you get the 
best possible air circulation. Fans blow 
air in one direction. Make sure you 
mount the fan such that it blows the 
right way. It’s way too easy to simply 
mount fans willy-nilly, and have the 
near-the-CPU case fan blowing onto the 
processor instead of drawing the hot air 
out, which is what it’s supposed to do. 


4) Drives get hot too. You can lengthen 
the life of your hard drives and keep 
your whole computer considerably 
cooler by making sure you have fans 
blowing on the hard drives. Good cases 
provide ways to mount fans that cool 
your hard drives by pulling air off them 
and blowing the air out of the case. The 
Silverstone case we used cools drives 
extremely well. But if your case doesn’t 
fan your drives, you can always buy 
drive fans that mount on the bottom of 
the drive. Beware, however, that some 
cases make it impossible to use these 
under-the-drive fans. They may not 
provide enough room, or they may 
have unusual drive mounting schemes 
that prevent you from using these neat- 
o devices. 


5) Tie-wraps are your friends. Loose 


cables can create nightmares in the long 
run. They flop around and can get caught 
in fan blades. When you're finally done 
assembling your system and are satis- 
fied everything works properly, get in 
there and tie your cables together. Make 
sure you bunch the cables in such a way 
that they remain out of key ventilation 
paths or other sensitive areas. 


6) Video cards can be surprisingly 
fragile. They are notoriously easy to 
break if you don’t handle them carefully. 
We've knocked a capacitor off at least 
two video cards in our history of 
assembling do-it-yourself computers 
simply by holding the video card in the 
wrong place while removing it from 
the package or while inserting it into 
its slot in the computer. It’s also easy 
to knock capacitors off the boards while 
moving cables or otherwise doing work 
inside your computer. We’re not talking 
about handing the video card to the 
Incredible Hulk, who presses too hard 
on these things. The capacitors almost 
jump off the board with very little 
pressure applied. We’re not sure why 
video card manufacturers mount these 
components so precariously, but they 
do, so beware. 


7) There is a jumper, switch or other 
device on your motherboard that 
allows you to clear the BIOS settings. 
Use it to clear the BIOS settings before 
you boot your do-it-yourself system for 
the first time. 


8) Read your manual with respect to 
installing RAM modules. All the mother- 
boards we tried support dual-channel 
access to RAM, but you have to insert 
the modules in a certain order for dual- 
channel to work. 


the Comfort Duo should be enough for most users. We happened to 


preferred system. 


replace the mouse that comes with the Comfort Duo with a Logitech G7 
Laser Cordless, but you may find this mouse to be a royal pain, because 
it requires you to swap batteries as much as twice daily. Fortunately, it 
comes with two lithium ion batteries, one of which stays in a charger 
while you use the other. But because this is an unlikely choice for many 
people, we stuck with the Cordless Duo as the standard choice for the 


PLAYING WITH PRICES 

We put together two systems, a great system and a more budget-minded 
system. If you have money to burn, you easily could pump up the great 
system into an ultimate system. Trick it out with the two best NVIDIA cards 


ALTERNATE BUDGET 
CONFIGURATION WITH 
ACCESSORIES 


Motherboard: ABIT AN8 32X 939 ($200 US) 
Processor: AMD64 4200+ Athlon X2 ($360 US) 
Power supply: Enermax ELT500AWT 500 Watts ($100 US) 


Memory: one set of Corsair 1Gx2 TWINX2048-3200PRO 
modules (four total) ($250 US total) 


Video card: eVGA GeForce 7900GT Signature 256MB 
($360 US) 


Case: Thermaltake Tsunami VA3000BWA ($100 US) 


Hard drive: Seagate Barracuda 300GB 7200 RPM 8MB cache 
SATA 3.0Gb/s ($100 US) 


DVD R+W: PX-750A ATAPI ($60 US) 
Monitor: Acer AL1515 ($150 US) 


Keyboard and mouse: Logitech Internet Pro Desktop, 
PS/2 Wired Standard Keyboard Mouse Included ($18 US) 


TOTAL: $1,698 


on the market in SLI mode. Add a liquid-cooled system that you connect 
to everything in the box that generates heat. Go for the top-of-the-line 
AMD64 processor instead of the 4200+. You'll pay a lot more, but you'll 
get what you pay for. The AMD Athlon 64 FX60 Toledo runs for just 
under $1,000 US. 

The second combo uses a less-expensive case, a single video card and 
less memory in order to save cash. You can cut other corners as well, but 
we chose those components that were at a price threshold where a better 
component would cost significantly more money. For example, at the time 
of this writing, the difference between an AMD64 4000+ and an AMD64 
4200+ is about $30 US, but the price difference jumps to $100 US between 
the 4200+ and the 4400+. As mentioned earlier, AMD is likely to have 
restructured all these prices by the time you read this, so the threshold 
where the price jumps probably will be different. Choose accordingly. 

The same tends to hold true for video cards. There’s a point at which 
the price increase doesn’t get you much extra performance, so you have to 
think hard in order to decide whether you want to spend the extra cash 
for the edge. At the time of this writing, the NVIDIA 7900GT series is 
affordable and fast. If you really need a budget card, the eVGA GeForce 
6600GT 256MB PCI Express x16 goes for about $150 US, and although it 
doesn't compete well with the 7900 series, it’s no slouch. 

Perhaps no category includes a wider variety of prices than monitors. 
We didn’t explore the vast range in our do-it-yourself kit, simply because a 
choice of monitor can be intensely personal. We can’t tell you which one 
you'll like best, but we can tell you that the price difference between a 
monitor you like and one you love can be as much as $1,000 US or more. 
We're very happy with the Samsung 204B. You might need more, or you 
might be happy with less. 


Nicholas Petreley is Editor in Chief of Linux Journal and a former programmer, teacher, analyst and consultant 
who has been working with and writing about Linux for more than ten years. 
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THE ULTIMATE LINUX DESKTOP 


The Ultimate Linux Desktop 


Puget Custom Computers packs a lot of power into our Ultimate Linux Desktop. 


When determining the basic specifications for 
what the Ultimate Linux Desktop should be 
capable of, one thing Editor in Chief Nicholas 
Petreley and | agreed on was that it should have 
at least two NVIDIA SLI GPUs. If you're not 
familiar with SLI (Scalable Link Interface), this 
technology allows you to run two or four 
GPUs (Graphics Processing Units) either on a 
single card or a pair of cards to increase video 
performance. It works by splitting the process- 
ing work to render video among the GPUs 
for each frame. 

Why care about something fancy like SLI? 
Aside from the cool factor, the Ultimate Linux 
Desktop needs to run modern games made 
available for Linux. Doom 3, Quake 4 and 
Unreal Tournament 2004 all are capable of tak- 
ing advantage of this powerful feature, so why 
miss out? Aside from games, SLI also benefits 
those doing high-end graphics work, especially 
3-D graphics. Any application that uses OpenGL 
graphics can take advantage of this feature. 
However, for high-end graphics workstations, 
you're more likely to go quad SLI (four GPUs) 
rather than dual (two GPUs). 

In conjunction with SLI, the motherboard 
needs SLI support. For the rest, it was mainly a 
wish list of what most people would like to see 
in a desktop computer: plenty of fast RAM, fast 
networking, great audio, front-panel USB, dual- 
core CPU and more. Oh, and of course, all of it 
has to be supported by Linux. Another stipula- 
tion was the machine has to come with Linux 
pre-installed, or if the user has to install Linux 
themselves, it can’t be a difficult operation. 

For the Ultimate Linux Desktop, we were 
going for ease of “set up and go”. We weren't 
considering anything that required hand-tweaking 
hardware or installs, except for very basic oper- 
ations. Why be this fussy for the Linux Journal, 
the home of Linux geeks? The desktop is where 
the Linux community is still getting its legs, and 
the ability to order a Linux box pre-installed is 
definitely a helpful boost to beginners. Linux is 
no harder to install than Microsoft Windows, 
but average users never install Windows on 
their own. Many would rather purchase a 
new machine than try it. 

So, enough with the introduction. You want 
to know what machine won and why. 


MEET THE WINNER 

The Ultimate Linux Desktop comes from Puget 
Custom Computers (www.pugetsystems.com). 
From its High End Gaming Computer category, 
the setup we received includes a number of 
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Figure 1. A custom-built machine from Puget Custom 
Computers is our Ultimate Linux Desktop. 


desirable features (Figure 1). This particular con- 
figuration costs $2,882.17 US before tax. There 
is no monitor, keyboard or mouse included. 

The CPU is an AMD Athlon 64 X2 4400+, 
which runs at 2.2GHz. This isn’t the newest 
or fastest processor in its series, but it’s at the 
juicy price point for most users. This dual-core 
CPU allows programs built to take advantage 
of SMP (Symmetric Multiprocessing) to split 
their processing tasks among the two cores. 

n general, it's designed for those who use a 
ot of multimedia or do a lot of multitasking, 
which pretty well describes the job of an 
Ultimate Linux Desktop. 

The motherboard is an ASUS A8N-SLI 
Premium, which is designed to make it simple to 
activate or deactivate SLI support when needed. 
On many early SLI-based motherboards, you 
have to open the computer and change a 
switch setting in order to accomplish this task. 
The ASUS A8N-SLI Premium allows you to do 
this in the BIOS instead or by using a Microsoft 
Windows XP utility (unfortunately all of the utili- 
ties for this motherboard are for Windows or 
DOS). You won't find any serial port on this 
motherboard, so if you need support for older 
hardware, you have to pick up a separate card. 
There also is no floppy drive. 

The ASUS A8N-SLI Premium offers support 
for AMD Cool ‘n’ Quiet Technology, which 
adjusts the CPU speed, voltage and power 


consumption, depending on what the system 
is doing. Although this motherboard is more 
than a year old, its feature collection is still 
impressive, including: 


> HyperTransport Technology 
(www.hypertransport.org), which 
speeds up communication between 
integrated motherboard components. 
Dual-channel DDR (Double Data Rate) RAM. 
Serial ATA (SATA) Il hard drive interfaces. 


Dual RAID controllers. 


PCI Express controllers. 


vvevevyv 


S/PDIF (Sony/Philips Digital Interface) Out 
to allow digital-to-digital transfer of audio 
between devices. 


> IEEE 1394a (FireWire), which is now supported 
under Linux. 


> USB 2.0 connectors. 
> Two Gigabit Ethernet interfaces. 


For RAM, this box has two Corsair XMS 
CMX1024-3200C2 PC3200 1,024MB low-latency 
sticks. The XMS (Xtreme Memory) product line 
from Corsair is designed for overclockers and 
gamers. Rather than choosing the flashy option 
of the RAM sticks with the LED displays along 
their tops, Puget Custom Systems went with the 
less-flashy (and therefore less-expensive) option. 
We were hoping for fast memory, so this is a 
real plus—and we encouraged vendors to go 
more for practical than “bling”. 

The included hard drive is the Western 
Digital SATA Raptor 74GB. This drive might be 
a bit small for what many people want, but 
you can choose another size if you want a 
bigger one—and are willing to pay more for it. 
However, this hard drive is 10,000 RPM, so it 
flies when it's in use. 

When it comes to the video cards, specifically 
what's included are two eVGA 7900GT CO 
256MB SLI cards. These aren't the highest 
model available for eVGA’s NVIDIA 7900 series 
cards, but again, you can customize the order 
to go up to the GTX if you want to spend 
around $1,000 US more on your computer to 
get the bleeding edge. 

One small drawback may be the Seasonic 
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> THE ULTIMATE LINUX DESKTOP 


Figure 2. Part of the Cooling Setup for the Ultimate Linux Desktop 


S12 Series 500W power supply. If you want to 
add many more components to this system, 
you'll want to upgrade to a larger wattage. On 
the plus side though, this power supply series is 
extremely quiet and has split rail technology, 
meaning that the various devices on your sys- 
tem are all drawing their power from, in a way, 
multiple smaller power supplies. This feature 
prevents devices from interfering with each 
other. On an SLI system, you definitely want this 
feature in your power supply. 


KEEPING COOL 

Everyone has heard about things like people 
being able to cook inside modern computers. 
If you've run into problems with intermittent 
crashes while playing high-end games, you also 
know the pain of video cards and other compo- 
nents that overheat. Although we would have 
loved a liquid-cooled box, and they will build 
you one, it can add more than $1,000 US to the 
price. Without liquid cooling, however, Puget 
Custom Systems still provides a machine 
where much thought was put into how to 
keep it from overheating (Figure 2). 

First, there's the Swiftech MCX159-CU 
Chipset Cooler. It's a small heat sink and fan 
that is sandwiched, in this case, between the 
two video cards (top left). Then, there's the 
monster Thermalright XP-90 Heatsink with 
92mm Papst Fan, which is attached to the CPU 
(bottom middle). This particular solution is a 
combination fan, a set of radiating fins and a 
set of heat-conducting pipes that can radiate as 
well. There’s another fan bolted into a metal 
frame (upper right) to help cool the video cards 
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as well, and there’s a heat exhaust fan (bottom 
right) to blow hot air out of the case. Not shown 
in Figure 2 is another fan for air intake at the 
front of the case. 

The case's design also helps keep the system 
cool (Figure 3). This Lian-Li V1000B Mid-Tower 
case is broken into three compartments: one 
for the hard drives (lower left), one for the 
power supply (bottom right) and then the 
upper compartment for the rest of the system. 
This breakdown creates three separate cooling 
zones, using small slots to pass cables through 
without letting too much heat travel within 
the machine as well. 

Many spots on the outside of the case are 
made of a metallic mesh, allowing heat to pass 
through easily. You would think that such a 
setup would make the machine noisy, but in 
fact, this is a fairly quiet system, mostly because 
the fans are so large. The bigger the fan, the 
quieter it tends to be. 


OTHER FUN FEATURES 

Within the case, as you can see in Figure 3, the 
cables are wonderfully managed so that the 
computer doesn’t look like someone dropped a 
bunch of spaghetti into it. The hard drive is 
installed in the lower left, sideways so you 
can easily access the important areas—not to 
mention making it far simpler to pull a drive 
out or push it in without banging it against 
other important components. 

The front panel (Figure 4) offers a power 
button (the big silver disc), audio jacks, two USB 
ports and a FireWire port. If you've ever had to 
crawl around under desks to get to the back of 


1 
ta 


Figure 3. The other part of the cooling setup is the actual case layout. 


Figure 4. The front panel is along the bottom of the 
machine. You also can see the mesh mentioned earlier. 


a machine just to plug in your USB thumbdrive, 
you know what a pain that can be. Of course, 
if you keep this case on the floor, you'll still 
have to get onto the floor to access these 
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> THE ULTIMATE LINUX DESKTOP 


controls, but it's better than having to go 
around to the back. 

On the back panel (Figure 5), you can see at 
the top the connectors for both video cards. 
Below and on the right are the 5.1 analog audio 
connectors, the two Gigabit Ethernet jacks, four 
USB ports, a FireWire port, a parallel port, PS/2 
mouse and keyboard jacks, and both coaxial 
and optical S/PDIF jacks for digital audio and 
features, such as 5.1 surround sound. 

One of the perhaps smallest, but most won- 
derful features of the case is the single screw 
lock mechanism for removing the side panel. 
You simply have to twist one large screw by 
hand (no tools needed) to unlock the panel and 
pull the panel off. That's it. Then to put it back, 
slide the panel into place and re-lock the screw. 

You also receive a box containing all of the 
unused parts and bits that came with the hard- 
ware included in the machine. There's a sheet 
that shows where many of the components 
plug in to the back. There’s also a sheet show- 
ing you the warranty information for any com- 
ponents that offer them, and this particular box 
came with a one-year warranty as well. In the 
box, | also found all of the manuals and CDs 
involved in the process, including a DVD of 


Fedora Core 5 (more about that in a moment). 

This is ultimately a practical machine for 
today, and today’s games in particular, hitting 
all of the best price points. However, if you are 
especially into games, you might prefer to 
push further into the bleeding edge and higher 
costs so you won't have to upgrade any time 
soon. The flexibility of Puget’s customization 
interface—and the fact that if you ask them 
to add something to the machine that isn’t 
available on their official list, they'll do so— 
should take care of those users. 


THE ULTIMATE LINUX DESKTOP, 
AND LINUX 
The box arrived with 32-bit Fedora Core 5 pre- 
installed. SLI was enabled, as verified in the X 
server logs. The collection of yum repositories 
recommended by FedoraFAQ.org were in place 
as well. Flash wasn’t installed, but it was a 
minor annoyance because the repository was 
already set up. Other than that, everything 
worked like a charm under both an older 17" 
CRT monitor and a newer 24" wide-screen LCD. 
To check out the performance under pres- 
sure, | tried both Unreal Tournament 2004 
and Quake 4. Both of these games played 
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smoothly with the absolute highest video res- 
olutions and effects settings. In fact, Quake 4 
was set to 16x anti-aliasing with anisotropic 
filtering and 1920x1200 resolution and still 
played perfectly smoothly. 

They have the firewall on with SSH enabled 
by default, which is a sane option. SELinux is 
on as well, so users would have to go out of 
their way to unsecure the machine. | can’t 
think of any real complaints here aside from 
Flash. The system worked out of the box with 
Linux in place. Mind you, the installation was 
32-bit instead of 64-bit. | could only speculate 
as to why at this point, so | won't make wild 
guesses—and I'm sure if | had specifically asked 
them to install 64-bit, they would have done so. 

Really, other than that it just worked, and 
worked well; you can’t ask for more than that 
from the Ultimate Linux Desktop. 


Figure 5. The back panel offers most of the hookups, 
along with many spots for ventilation, including mesh 
and cut-outs for fans. 


Dee-Ann LeBlanc (dee-ann.blog-city.com) is an award-winning 
technical writer and journalist specializing in Linux and miniature huskies. 
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THE ULTIMATE LINUX SERVER 


The Ultimate Linux Server 


The Aberdeen A261T rackmount server delivers amazing 
bang for the buck as a rule of thumb—literally. 


We defined specific parameters that would 
describe our Ultimate Linux Server before we 
began our search. To put it simply, the server 
had to be built for reliability, high availability 
and provide the best bang for the buck. Only 
one vendor provided us with a server that met 
our requirements. Although this made it easy to 
choose the Aberdeen Stonehaven A261T dual-core 
dual-processor rackmount server as our Ultimate 
Linux Server, one shouldn't get the idea that the 
Stonehaven doesn’t deserve its place at the top 
based on its own merits. This server meets our 
entry criteria and then some. 

The Aberdeen Stonehaven A261T rackmount 
server has two dual-core AMD Opteron processors 
for a total of four effective CPUs, and it comes 
with six 250GB hard drives configured for RAID 5. 
Aberdeen can provide up to 127B of storage if 
you need it. The server comes with redundant 
power supplies for increased availability. Should 
one fail, you can hot swap a new one in its place. 
You also can hot swap the SATA drives. 

The A261T is based on the Tyan $2882-D 
Thunder K8SD Pro motherboard. Tyan has long 
been a reliable provider of server motherboards, 
and this particular model is a terrific foundation 
upon which to build. The server includes an 
Areca SATA RAID controller. The default Linux 
software is Red Hat Enterprise Linux Server 4.0, 
64-bit (x86_64), which is included with the server 
along with a handful of driver disks, manuals 
and other minor goodies. 

Here is the official list of the box’s features 
that we tested: 


» AMD Opteron 64-bit dual-core 265 (1.8GHz), 
1GB per core processor. 


>» Six 250GB SATA 7,200RPM 16MB cache hard 
drives with NCQ. 


> 1.5TB storage capacity (maximum 37B). 


> 2GB Registered ECC DDR 400 memory 
(16GB memory capacity). 
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Six hot-swap drive bays. 


Available 5.25 for optional tape backup. 


> 

> 

> Dual Gigabit Ethernet controllers. 

> Redundant 460W hot-swappable power supply. 
> 


Hot-swappable four 10cm fans and two 
4cm fans. 


> Eight port SATA Il 3Gb/s RAID controller (0, 
1, 10, 5, 6, 50, JBOD capability) with battery 
backup module. 


>» RAID Management Software Installation and 
User Guides. 


> Tyan System Monitor Server Management 
Software Installation and User Guides. 


> Five-year parts and labor warranty. 


Vv 


Optional: XDAS scalable storage appliance 
capability. 


PERFORMANCE 
We ran a series of benchmarks on the A261T. 
Most of them produced meaningless results, 
because the A261T was too fast for our bench- 
marks to stress the hardware adequately. We 
finally produced our own benchmark based on 
the siege program, which simulates a number of 
simultaneous Web clients hammering the server 
for Web pages. It wouldn't do to serve up static 
pages for this benchmark, because that would 
create no significant stress on the server. So we 
created a Web site based on Apache, PHP and 
MySQL that includes IFrames, JavaScript and 
records information about each visitor, so that 
each page access produces write operations on 
MySQL as well as read operations. 

This turned out to be too much for the server 
at first. In fact, our dinky workstation outperformed 
the server by a wide margin. Naturally, this made 


no sense, so we went on a troubleshooting spree. 
The answer turned out to be a poorly configured 
Apache file (httpd.conf). We suspect that the fault 
lies primarily with the GUI httpd configuration tool 
in Red Hat Enterprise Linux, but we haven't had 
time to back out all the changes and try the pro- 
cess from scratch in order to identify where things 
went wrong. Regardless, this is an issue with Red 
Hat EL 4.0, not with the server hardware. Any 
administrators worth their salt will want to tweak 
the http.conf one way or another to adapt it to 
their applications, whether they do so manually or 
via any one of several Web-based or GUI tools. 

We didn’t find this problem easily, but that’s 
thanks mostly to Murphy's Law, which includes 
the axiom that one never looks in the right place 
the first time. At first, we noticed that MySQL was 
using up an unusual amount of CPU power. Was 
the outdated MySQL that comes with Red Hat 
Enterprise Linux 4.0 causing the problem? No. We 
replaced the 4.x version of MySQL with a 5.x ver- 
sion, and it made no difference. We ran up2date 
and chose to replace the existing Linux kernel 
with the latest version. This turned out to be a 
bigger task than expected. The Red Hat kernel 
doesn’t include support for the Areca RAID con- 
troller. Fortunately, Aberdeen provides a CD-ROM 
with driver code and instructions for creating a 
module for any new Red Hat kernel and instruc- 
tions on including this module in the initial RAM 
disk. Once we found those instructions, it was just 
a matter of minutes before we had the new ker- 
nel up and running. It didn’t matter. The new 
kernel and driver didn’t improve performance. 

That's when we finally looked at the Apache 
httpd.conf file. On a hunch, we removed a 
duplicate Alias line created by Red Hat's GUI 


COMPANY 
INFORMATION 


9130 Norwalk Boulevard, 
Santa Fe Springs, CA 90670 


Phone: 562/699-6998 


Sales: 800/552-6868 


Fax: 562/695-5570 


RESULTS OF THE SIEGE TEST 
WITH 500 SIMULTANEOUS 
USERS 


Transactions 25,000 hits 


F sucesfutnsacion | 25000 
Prados [0 


Shortest transaction 00 


tool, and we tweaked the pre-fork parameters 
of Apache. Here is what we ended up using: 


<IfModule prefork.c> 
StartServers 20 
MinSpareServers 5 
MaxSpareServers 20 
MaxClients 256 
MaxRequestsPerChild 0 
</IfModule> 


We restarted Apache and MySQL, re-initialized 
the database and Web site and then nothing 
seemed to be able to slow this puppy down. The 
siege benchmark defaults to simulating 15 simul- 
taneous clients. Don’t be deceived by this appar- 
ently tiny number of clients. The siege benchmark 
doesn’t merely send 15 clients to the Web site, it 
hammers away at the Web site continually, unlike 
how 15 real users would. Real people read a page 
and move on. The siege benchmark doesn’t bother 
reading anything. It just keeps hammering away. 

Nevertheless, the A261T laughed at our 15 
simultaneous users. So, we kept boosting the 
number until we hit 500 simultaneous users, which 
produced enough load to make the server recog- 
nize we were there. Table 1 shows the final results 
of the siege test with 500 simultaneous users. 

As you can see, the response time was usually 
less than one second, which is remarkably fast for 
the kind of pages we were serving. The server had 
no problem delivering more than 300 transactions 
per second with a concurrency of 218 requests. 

We had to go back to our workstation and 
try the same test, given that the workstation 
previously left the A261T server in the dust at 15 
concurrent users. We changed the workstation 
configuration to match the server, and the work- 
station couldn’t even finish the test at 500 con- 
current users. In fact, the only way we could get 
it to finish was to reduce the number of concurrent 
users to 100 maximum, and even then it failed 
one transaction. We produced the numbers in 
Table 2 on a system with an AMD 4400+ Athlon 
x2 processor with 4GB of DDR400 RAM and a 
300GB SATA 3.0Gb/s drive (no RAID). 


SAME TEST, ON 
THE WORKSTATION 


Shortest transaction 000 


This story wouldn't be complete without 
mentioning our personal blunders. The Aberdeen 
server made an extremely loud whining noise 
when we first set it up. We tolerated this noise 
for what seemed like an eternity (more like two 
weeks of playing around with the server and 
running the original benchmarks, which we 
eventually had to replace). When we'd had 
enough, we opened up the case to listen to specific 
areas and feel around for vibrations in order to 
locate the source of the noise. A slip of the wrist, 
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and suddenly there was a piece of thumb caught in 
a CPU fan blade. (Never let it be said that we don’t 
put a bit of ourselves into everything we do.) Now 
we had not only a loud whine, but also a fan that 
made a nearly unbearable racket. 

It turns out the whine was just the server's 
way of letting us know one of the redundant 
power supplies wasn’t working. Why wasn’t it 
working? Because we didn’t have the power cord 
pushed in all the way. It turned out we could 
have saved ourselves two weeks of agony and a 
band-aid if we'd simply pushed in the power 
cords more carefully. As for the fan, it worked, if 
noisily. But we replaced it with one of our own 
while we waited for Aberdeen to send another. 
The server wasn’t whisper quiet by any means 
once we had it in normal operation, but it sounded 
like virtually any other rackmount server that has 
to push a lot of air in order to stay cool. 

The retail direct price for this particular 
configuration is $4,999 US. Given the design 
for reliability and its excellent performance and 
scalability, we consider the A261T to deliver an 
awful lot of bang for this buck. This model is 
very well deserving of our title of Ultimate Linux 
Server, and we recommend the Aberdeen line of 
servers without reservation.m@ 


Nicholas Petreley is Editor in Chief of Linux Journal and a former 
programmer, teacher, analyst and consultant who has been working 
with and writing about Linux for more than ten years. 
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THE ULTIMATE MULTIMEDIA CENTER(S) 


The Ultimate 
Multimedia Center(s) 


The Ultimate Multimedia Center actually slides in under a million dollars. 


Venice Beach is one of my favorite beaches in 
the world, and when | go to the Los Angeles 
area, | try to visit the beach, just to stroll along 
the sidewalk and watch the people. One of the 
people | like to watch for is my friend Clay 
Claiborne who owns Cosmos Engineering, and 
who named his Web site Linux Beach. 

Clay is a Linux advocate from way back, and 
on my last trip out there, he was bragging 

about the multimedia system he had built for 
his house using Linux to control it. When | heard 
about the Ultimate Linux System issue coming 
up, | put Clay to the challenge. 

Now, the first thing a person has to under- 
stand is that there is no upper limit for what 
you can spend on multimedia equipment, and 
that of course also means the computer system 
you can buy to capture, edit and play back the 
multimedia. If | wanted to buy an “ultimate” 
system, | would simply set aside a million dollars 
or so and go from there. So, the first place we 
started with was what a person who had a 
great love for multimedia, but an average-sized 
wallet would want in a system. | am sure we 
will get lots of letters complaining that our sys- 
tem was not “ultimate” enough, but | hope 
those letters will be outweighed by the ones 
that say, “Gee, | can almost afford that, and 
it is really cool—it all works together and it 
was easy to install.” 

Along those same lines, Clay designed two 
systems. Each one is expandable, but one is a 
bit less expensive than the other, for those with 
smaller wallets. Clay has pledged to supply us 
with all the specs and the software he uses on 
them so people can build them from scratch. 
For those with more money than time, Clay will 
be happy to order, assemble, install the soft- 
ware, test and ship them to you, and you may 
well be happy to buy the service. Your choice. 

In honor of his love for the seaside, Clay 
has named these systems the Linux Beach 
MultiMedia Center 500 (LBMC 500) and 
the Linux Beach MultiMedia Center 1000 
(LBMC 1000). 

First, both systems come with a remote 
control (who wants to get off the couch?), and 
both systems are designed to be whisper quiet 
through the use of specialized cases, careful 
attention to power supply selection and selec- 
tion of graphics cards that have no extra fan. 
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Figure 1. Linux Beach MultiMedia Center with optional monitor, keyboard and mouse—Tux is not available. 


The smaller LBMC 500 system uses the Ninja 
2 case, which was designed with low noise in 
mind. Although it does have a door on the front 
[| hate doors—md] you can get to the DVD 
without opening it. There are also two USB 
ports, one FireWire port and a set of headphone 
and mic jacks on the front for easy access. The 
power supply is 400W—more than adequate for 
the smaller system. 

The larger LBMC 1000 is built around the 
Antec Sonata Il case, which also was designed 
for quiet operation. It uses a SmartPower 2.0 
450-Watt power supply that is “smart enough 
to turn its fan off when it is not needed”, as 
Clay puts it. Following along the lines of 
“quiet”, the CPU fan is also RPM-controlled for 
low noise levels. Clay says he added blue LEDs 


to the front of the case so you will know it is 
turned on. Unfortunately, with this case, you 
have to open the front door to get to your 
DVD drive, but the extra noise muffling 
makes that reasonable. 

At my urging, Clay also chose as an alterna- 
tive to the Antec Sonata Il, the Antec Overture II 
Quiet Media case for those people who like 
their media centers to be horizontal instead of 
vertical. But please remember not to block the 
ventilation holes with “stuff”. Both the vertical 
and horizontal cases have two USB ports, one 
FireWire and audio ports on the front. 

Both systems use the same motherboard, 
the Gigabyte GA-K8NF-9. The smaller system 
gives you an 800Mbps FireWire port along with 
its eight USB 2.0 ports. In order not to use those 
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THE ULTIMATE MULTIMEDIA CENTER(S) 


high-speed ports for anything other than high- 
powered storage, the motherboard also gives 
you S/PIDIF Digital Audio In and Out to drive 
your surround sound 5.1 or 7.1 audio system, as 
well as eight channels out to drive analog ampli- 
fiers directly. It also gives you a parallel printer 
port and one RS-232 com port for those legacy 
peripherals, as well as PS/2 ports for mouse and 
keyboard. Video out is supplied by standard 
analog VGA, digital DVI or S-Video for the TV. 
Two monitors or a monitor and a TV can be 
used for different signals at the same time. The 
TV is properly set up with over scan so that 
everything appears as it should. Video can be 
captured with the TV tuner, composite or 
S-Video in. Finally, Gigabit LAN gives you the 
tightest possible connection to the world. 


about twice the CPU power, although either 
chip is honking at the speeds they are going. 
And although the larger system comes with 
1GB of memory standard, the smaller one 
comes with “only” 512MB. [maddog remem- 
bers when he paid $23,000 US for 1MB of 
semiconductor memory and $128,000 for 64 
Kilobytes of Core—he will tell you some time 
what “Core” is.] 

Both systems offer you an upgrade of both 
CPU and memory to your wallet’s capacity. The 
CPUs offered for the LBMC-500 are the AMD 
Athlon 64 3200+ (optional) or the 3700+ or 
4000+ as options. For the LBMC-1000, the CPUs 
are the AMD Athlon 64 2X 4200+ (standard), 
or the optional upgrade to the 4600+. 

Speaking of capacity, the smaller system 


—_—/! 


Figure 2. The internals of the Linux Beach MultiMedia Center 500; the motherboard is the same as the LBMC 1000. 


The larger system gives you the same fea- 
tures, but three 800Mbps FireWire ports, ten 
USB 2.0 ports and two RS-232 com ports. 

Both motherboards also use the NVIDIA 
nForce4 chipset on the mainboard to provide 
the best PCI timing and drive a 3Gb/s SATA bus, 
two PCI and two PCI-Ex1 slots for expansion. 
The NVIDIA GeForce video output is driven at 
twice the speed of an AGP 8X through the PCI- 
EUR-Express 16 port. 

The CPU is the next place that the two sys- 
tems differ. Although both use a 64-bit AMD 
processor with an 800MHz memory bus speed 
and 4GB memory maximum, the larger system 
uses a dual-core chip, effectively giving you 
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comes with a MAXTOR 250GB, 7200 RPM SATA 
drive with 16MB of cache, but it can be ordered 
with two of these drives in the system for a bit 
more money. The larger system comes with a 
MAXTOR drive that is 40O0GB standard, and a 
second drive could be added. Both systems 
sport a Sony double layer (16x) DVD rewritable 
optical disk drive that can hold up to 8.5GB on 
a disk. The Sony's CD-R write speed is 48x. 

For those of you who are really starved for 
storage, the 800Mbps FireWire will give you 
amazing storage capacities outside the main 
CPU cabinet. 

The TV tuner card in each system is the 
Hauppauge WinTV PVR150. Don’t be turned off 


by the WinTV part, it is nicely supported by 
Linux. You also can get the pcHDTV HD3000 as 
an additional upgrade on both systems. With 
this second tuner, you get to watch and record 
high-definition TV, and also record one program 
while watching another, or record two TV 
programs at once. Clay tells me that on the 
larger system you can install enough tuners 
to record six TV channels at one time. But 
Clay, | have other things to do with my life 
than watch TV—like listen to music! 


JUST A MATTER OF SOFTWARE 
TiVo changed my life. | never watched much TV 
at all in my adult years, but | was very loyal to 
the shows | watched. TiVo allowed me to watch 
what | wanted, when | wanted. A couple of 
problems though—it was available only in the 
US, and although it was running Linux, it had 
big “do not open this box” labels on it. Of 
course, intrepid Linux hackers ignored this 
warning, and soon TiVos had much larger 
storage capacities and remote setup and so on. 

Clay calls the software MythTV “TiVo on 
steroids”, and although Linux Journal does 
not condone drug usage of any type, | have 
to agree. 

The core software of this system is Ubuntu. 
Clay chose Ubuntu because it gave good basic 
support to the multimedia, and because he 
likes their slogan, “| am what | am because 
of who we all are”. | have to admit that | like 
that slogan too. 

Clay installs all of the core Ubuntu to make it 
easily available to the end user to tailor. So, you 
could run your Web server off your multimedia 
center. You also could use your multimedia 
center to handle your e-mail. Your choice. 

On the other hand, you could use it just 
to record the TV shows that you want to 
watch and then play them back again using 
the MythTV software that Clay integrates. 
Or, use MPlayer to play your DVDs and 
other audio/video files in a huge number 
of formats. Or use XMMS to play back 
music, create playlists or create visual aids 
to go with your music. 

And, of course, the remote is supported by 
MythTV, MPlayer and XMMS. 

Clay also mentions that although all of 
the day-to-day audio/video functions can be 
controlled by this remote, you may want to 
get a wireless keyboard and mouse to operate 
the system better. 

For complete specs, ordering information, 
copies of the software, and other things 
associated with this project, please go to 
CosmosEng.com/cgi-bin/cosmoseng/ 
004-LBMS2.html for the Linux Beach 
MultiMedia 500 and CosmosEng.com/ 
cgi-bin/cosmoseng/004-LBMS1.html for 
the Linux Beach Multimedia Center 1000. 

And, for your own sake, get off the couch 
every once in a while—maybe to get a soda 
from the fridge. 

TiVo is a trademark of TiVo, Inc. Linux is 
a trademark of Linus Torvalds.m™ 


TS-7300 High Security 
Linux FPGA Computer 


$2196 $189 
= 200 MHz CPU | 


a User-programmable 
Altera 2C8 Cyclone Il FPGA 


a PC/104 expansion bus 


a Fanless, no heat sink 


10 RS232 serial ports 


a 55 DIO ports 


2 10/100 Ethernet 


a VGA video out 
a matrix keypad & text mode LCD 
a 2 USB ports 


a 2 hot-swappable SDCard sockets 


a SD is software RAID1 capable 
a Linux, NetBSD 


a Real Time extension 


r 


Design your solution with 
one of our engineers 


a Over 20 years in business 


a Never discontinued a product 


a Engineers on Tech Support 


a Custom configurations and designs w/ 
excellent pricing and turn-around time 


% Most products stocked and available 


Figure 4. Linux Beach MultiMedia Center 1000 with door open. 


Jon “maddog” Hall is the Executive Director of Linux International 
(www.li.org), a nonprofit association of end users who wish to 
support and promote the Linux operating system. During his career 
in commercial computing, which started in 1969, Mr Hall has been 

a programmer, systems designer, systems administrator, product 
manager, technical marketing manager and educator. He has worked 
for such companies as Western Electric Corporation, Aetna Life and 
Casualty, Bell Laboratories, Digital Equipment Corporation, VA Linux 
Systems and SGI. He is now an independent consultant in Free and 
Open Source Software (FOSS) Business and Technical issues. 


Clay Claiborne (cjc@Cosmoseng.com) is CEO of Linux hardware 
integrator Cosmos Engineering Company. He has worked in the 

computer industry off and on for 30 years. He has been a Linux 
enthusiast since 1995. In 1996, he developed the concept of selling 


Linux pre-installed on a hard drive and produced Linux On A Disk. 


He founded Linux Users, Los Angeles, and was its president for eight 
years. He currently resides in Venice, California. 
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We liked the Nokia 770 back when we reviewed Well, we still like it. Here’s why: loading three packages. With a Bluetooth 

it for the February 2006 issue. Since then, the GPS providing your current location, you 
770 has received generally good reviews from 1. It is a legitimate and useful handheld Linux can own a “look ma, no wires!” navigation 
Linux geeks and bad ones from the mainstream computer (2.6 kernel, Debian package solution for your car or bike that is easy to 
press. Rob Pergaro in the Washington Post says management, GNOME UI), yet small and take with you when you park. 

it “does little, and not very well”. Steven light enough to fit in a shirt pocket. Consider 

Mannes in Forbes says it comes with “lots of the possibilities. 3. It is Net-native out of the box, with a solid 
built-in frustration”. CNET calls it the “worst- browser, excellent Wi-Fi (802.11b/g) and 
rated product that CNET readers love” and 2. Linux desktop applications are straightfor- Internet radio stream support. 

knocks its lack of Ethernet, slow load times and ward to port. For example, running GPSdrive 

sub-cellular battery life. and gpsd on the 770 is a simple matter of 4. The 770's 4.3" touchscreen display, with its 
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800x480, 225 pixels/inch resolution and 16 
bits per pixel color depth, is beautiful. 


5. The ARM9-based, 250MHz Tl OMAP 1710 
CPU at the core of the device provides 
plenty of CPU crunch while conserving 
battery power. 


6. Storage is easily upgradable. For less than 
$70 US, we fattened the memory of our 770 
with a 1GB SanDisk RS-MMC card. 


7. It has an active development community 
(maemo.org) that keeps enlarging its 
portfolio of capabilities. 


8. It’s backed by a giant company that can 
mainstream the unit through deals with the 
likes of Linksys and Discovery.com (see the 
on-line Resources). 


We are also intrigued with the Pepper Pad, a 
2.3 pound “two-handheld” Linux (MontaVista) 
computer with a 20GB hard drive, an infrared 
port (so you can use it as a remote control), a 
QWERTY keyboard (split to the left and right of 
the screen, so you can hold the pad with two 
hands and type with your thumbs—it's easier 
than you might think) and stereo speakers, 
among other features. In TUX (our sister publi- 
cation), David Hitrys had kind things to say 
about the Pepper Pad (see Resources). 

We favor the Nokia 770, however, because 
it fits cleanly inside a new niche—the pocket- 
sized computer—while the Pepper Pad operates 
at a price point (just over $800 US) where there 
already are piles of Linux-ready notebooks with 
much heftier hardware. Still, the Pepper Pad is 
a New Thing, and we hope it succeeds—just 
as we hope all wide-open Linux-based devices 
succeed. 

Success won't come easy, as long as the 
manufacturers continue to promote these things 
as “consumer” devices while they still lack a full 
portfolio of familiar and easy-to-use applications 
for nontechnical users. That kind of marketing 
guarantees negative reviews from mainstream 
media. The Nokia 770, for example, has the 
form factor of a PDA and comes from a compa- 
ny whose name is synonymous with cell phone. 
Yet it is neither. Instead, it is a computer. As a 
“consumer” computer, it suffers for not being 
Windows and for failing to meet the average 
user's expectations of a portable Windows or 
Palm device. 

For the price of a Nokia 770, you can get an 
HP iPAQ or a Palm Treo. Both work as PDA/cell 
phones and run lots of ready applications. But, 
both also trap the user in Microsoft's or Palm’s 
silos (and carrier partners’ silos as well). The 770 
doesn’t do that. It’s about as open as anything 
you'll ever see in a handheld computer from a 
major manufacturer—especially a manufacturer 
accustomed to working through supply chains 
that meet customers inside the walled gardens 
of cell-phone carriers. 


For now and the near future, the Nokia 
770 is a geek tool. That is why we continue to 
recommend it and to salute Nokia for making 
and supporting it. It’s also why we urge the 
hackers among our readers to take a look at the 
maemo development platform roadmap (see 
Resources) and to help move things along. At 
the time of this writing (mid-May 2006), the 
Telepathy IM/VoIP Integration framework is in 
the works. So is the Farsight audio/video confer- 
encing framework. On the to-do list are Ul 
development tools such as Gazpacho, and 
enablement for languages (Python and Java) 
other than C for writing Ul applications. Nokia 
also has sponsored significant improvements to 
the Matchbox window manager. And, with the 
announced 2.0 software feature set, the 770 
should be even more attractive to those looking 
for a way to put Linux in their pockets. 

Of course, this isn’t the first time a major 
handheld device manufacturer has attempted 
to leverage the Open Source Development 
community on behalf of a new mass-market 
product. Sharp did exactly that with the Zaurus, 
which still has an active development commu- 
nity, even though the device was discontinued 
in 2004. 

Now would be a good time for the Zaurus 
folks to get behind the Nokia 770, and for 


everybody else with time and imagination to 
jump on board. With a critical mass of open 
applications, the market will invite other large 
hardware players to jump into the game and 
defeat the walled-garden model that continues 
to afflict the whole cell-phone industry and to 
threaten the computer industry as well. (For 
evidence of the latter, look no further than the 
iPod or the Windows Media Player.) 

Open Linux-based hardware products like 
the Nokia 770 and the Pepper Pad are disadvan- 
taged in the short run, but advantaged in the 
long. Although they lack the finished gloss 
associated with consumer electronics, their 
advantage is the same unfinished nature that 
the mainstream reviewers find so annoying. 

As platforms, these hardware devices are far 
more open and adaptable than their proprietary 
competitors. And, in the long run, evolution 
favors the most adaptable species.m 


Resources for this article: 
www.linuxjournal.com/article/9070. 


Doc Searls is Senior Editor of Linux Journal. 


Jim Thompson is a veteran Linux (and UNIX) hacker who has long been 
one of the leading figures in wireless networking. 
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THE ULTIMATE FUTURE LINUX BOX 


The Ultimate 
Future Linux Box 


The new AM2 socket-based AMD Athlon 64 dual-core processor goes beyond 11. 


We got our hands on an AMD rev. F Processor 
(FX-60 or X2-5000+), along with the ASUS 
M2N32-SLI Deluxe motherboard built for this 
processor, and we're convinced this points the 
way to the future of the Ultimate Linux Box. 

The movie This Is Spinal Tap is about a 
fictional heavy metal band with members who 
aren't very bright. In one scene, a guitarist men- 
tions that if he cranks up his guitar to volume 
ten, and cranks up the amplifier to volume ten, 
that’s as loud as it gets. There’s nowhere left to 
go. Then he boasts of an amplifier he has 
whose knobs are numbered up to 11. Rob 
Reiner, the host, asks if he couldn't just buy 
an amplifier that is louder at volume ten. The 
guitarist looks confused for a moment and then 
says, “But this one goes to 11.” 

CPUs are close to the point where they've 
gotten to ten, and there's nowhere left to go. 
AMD and Intel have been bumping up against 
Moore's Law for a while now. They can pump 
only so many Gigahertz out of a processor. 
Enter the dual-core processors. At this point in 
history, it's easier to improve performance by 
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adding a second core than it is to try to keep 
cranking up the GHz ratings (although AMD 
and Intel do that too). 

That takes care of the processor's technology 
bottleneck, but it doesn’t address the next 
bottleneck in performance: how to get the 
processor to talk to RAM in the most efficient 
way possible. So far, we’ve seen AMD and Intel 
attempt to address this bottleneck by pumping 
up the front-side bus frequency and by sup- 
porting newer, faster types of RAM and 
RAM configurations. 

Fast-forward to yesterday (relatively speak- 
ing). Intel supports DDR2 RAM, but the best 
AMD can do is DDR in dual-channel mode— 
hence the need for the new AM2 socket-based 
AMD64 processors. The differentiating factor 
between the old socket 939 line of AMD64 
dual-core processors and the new socket AM2 
processors of the future is that the new proces- 
sors include an on-die memory controller for 
DDR2 RAM. Otherwise, the two processors are 
essentially the same. 


DO OR DIE 

The operative phrase is “on-die”. This is now 
the differentiating factor between AMD and 
Intel processors. Currently, Intel must use an 
onboard memory controller in order to access 
DDR2 RAM. Although theory and practice do 
not always match, this, in theory, gives AMD a 
big advantage over Intel in the long run. 

Why? One of the biggest performance bot- 
tlenecks with respect to memory access is laten- 
cy. Latency is the time the processor has to wait 
before it can get the information it requests. 
AMD has reduced latency—in theory—by 
putting the memory controller on the CPU itself 
instead of relying on an on-the-motherboard 
memory controller. In fact, all AMD64 proces- 
sors include the memory controller on-die. The 
difference between the socket 939 processors 
and the socket AM2 processors is that the 
AM?2-based processors have a future, because 
they support DDR2. 

DDR is an eventual dead end. Today, DDR2 
delivers little if any improvement over DDR, but 
DDR2 is improving all the time. In fact, Corsair 
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about the same time AMD released the 
socket AM2 processors. The timing is not a 
handread ~~ coincidence. You can’t see any benefit in 
handwrite the socket AM2 processors without better 
handrmw 

memset -:--e--- DDR2 modules. 
_memepy ----&-~- As it is, you can’t see much benefit 
even with the better DDR2 modules. But 
that’s because we're still in the early stages 
of DDR2 performance. Until recently, DDR2 
performance has been a dog. The newest 
DDR modules are a lot better than the 
ones you could get just months ago. And 
DDR2 should improve steadily over time. 


WHERE LIES THE FUTURE? 
The question will be, which processor will 
best be able to exploit the performance 
increases in DDR2? AMD is preparing to 
win that battle with its on-die memory 
controller. Only time will tell, but I'd place 


my bets on AMD. It simply makes more 
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1.07374e+09 sense to put the memory controller on-die 
rather than increase latency by relying on a 
memory controller on the motherboard, as 
is the way Intel processors currently work. 
You've probably seen countless bench- 
marks of the socket AM2 processors by 
now, most of which show very little 
improvement over existing processors. We 
tried the same type of comparison and found that the X2-5000+ dual-core 
socket AM2 processor blew away our AMD64 4400+ Athlon x2. That’s not 
too surprising, because there’s a fairly significant increase in processing 
speed. But, we didn’t have an apples-to-apples system with which to 
compare the new one. 

Here's the trick. AMD claims that even with DDR2 memory, speed isn’t 
the issue, latency is. If you're familiar with how processors access memory, 
you'll know this is a perfectly credible statement in theory. But does it play 
out in practice? 

We wanted to see if latency really does affect performance as much 
as AMD claims and reason dictates. AMD sent out a number of sample 
products to reviewers early on, when DDR2 modules still had high- 
latency issues. When AMD finally released the socket AM2 processors, 
it claimed we would see about a 1% performance increase over the 
early samples. We didn't have an early sample, so we compared the 
previous latency capabilities of DDR2 to the current ones by changing 
the latency settings in BIOS. We ran a memory/cache benchmark using 
the two different latency settings. You can see the performance with 
faster settings (4,4,4,12) in Figure 1. See Figure 2 for the benchmark 
results for the old latency settings (5,5,5,15). 

Do you see the difference? Maybe not. Try to squint your eyes and turn 
your head a little and look again. If you look carefully enough, you will see 
some differences in performance. But we can save you the headache of 
trying to interpret the numbers in a moment. 

First, just for fun, we wanted to show you the huge difference 
between these benchmarks and the same benchmark on the AMD64 
4400+ (see Figure 3). 

Now, back to the latency issue. There really is a performance difference 
between the two latency settings on the AM2, but admittedly, it’s hard to 
see from the graphs shown here. So, we ran some Windows-based graphics 
benchmarks to find out if we could see the difference more clearly. We 
started with AMD's own nbench. We ran nbench on the ASUS M2N32-SLI 
Deluxe with the 5000+ processor, tricked out with two eVGA 7900GT 
NVIDIA video cards in SLI mode, with antialiasing and anisotropic filter 
settings set to application-controlled. Table 1 shows the results of 
nbench for the different latency timings. 
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We'll do the math for you. There’s 
about a 1% difference in performance, 
exactly as AMD had predicted. Just for 
kicks, we cranked up the graphics settings 
to the best possible antialiasing and 
anisotropic filtering. Although the overall 
performance dropped some due to the 
extra work, the difference in performance 
between the two latency settings was 
about 1% once again. 

The next benchmark comparison is 
apples to oranges, but it does show that 
the improvement over the AMD64 
4400+ is enough to make our mouths 
water over the new system, regardless of 
where it’s getting its kick. See Table 2. 
Even with the graphics settings entirely 
maxed out for best quality, the AM2 
system boasted a 15% performance 
improvement over the 4400+ system, 
despite the fact that the 4400+ system 
had four times the RAM installed. 

The problem with all these numbers is 
that they cannot reflect what a joy it is to 
behold the new system render graphics. 
Excerpts from unreleased games (unre- 
leased because no current system can 
handle them) run like movies on the socket 
AM2 system, even with all the graphics 
settings set to the max. They don’t quite 
run like slideshows on the 4400+ system, 
but the choppiness is extremely annoying, 
even with all of the graphics settings 
turned down to a minimum. 

More important, the 1% difference 
in performance with the changes in 
latency settings may not look like much 
on paper, but it is often easy to see the 
improvement when you run the 3-D 
graphics benchmarks. This is because a 
3-D scene looks best at 30 frames per 
second or better. When the frame rate 
hovers between 25 frames per second 
or less and 30-some frames per second, 
you really notice a 1% performance 
difference. Even a slightly more choppy 
rendering of a scene can be noticeably 
annoying. 

We saw something closer to a 2% 
performance improvement when we ran 
the Windows-based AquaMark3 bench- 
mark with the different latency settings 
(Table 3). This particular benchmark doesn't 
drop into the critical frame rates, so you 
don’t notice the difference in perfor- 
mance as much as you do with other 
benchmarks. But you can see from the 
figures that the frame rates do change 
with different latency settings. 


THE BOTTOM LINE 

We drooled when we received the AMD 
rev. F Processor (FX-60 or X2-5000+) 
along with the ASUS M2N32-SLI Deluxe 
motherboard built for this processor. 
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CPU overall performance 


3-D overall performance 


Overall performance 3418 


Configuration AM2 SLI-AC 4,4,4,12 
2857 


CPU overall performance 


3-D overall performance 4047 


Overall performance 3450 


Sure, we'd heard about how this is only an incremental 
improvement over existing AMD64 Socket 939 processors and 
their motherboards. In fact, most opine that there’s no improve- 
ment at all. As it turns out, many benchmarks show that there 
is minimal improvement in performance. 

But, we think most reviews are missing the forest for the 
trees. The AM2 socket-based processors and boards aren't 
about delivering an exponential improvement in performance 
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AM2 SLI-MAX 


THE 5000+ AM2 PUTS THE 
4400+ 939 TO SHAME. 


CPU overall performance 


3-D overall performance 


Overall performance 


AMD64 4400+ SLI-MAX 
CPU overall performance 


3-D overall performance 


Overall performance 


today. This is about laying 
the foundation for expo- 
nential improvements in 
performance for the 
future. We can’t tell you 
whether it is worth it for 
you to invest in today’s 
socket-AM2 motherboards 
and processors. The risk 
you take is mostly depen- 
dent upon how quickly 
memory manufacturers 
can improve DDR2 and 
whether your mother- 
board will support the 
improved DDR2 modules. 
In the long run, however, 
DDR2 will most definitely 
improve, and AMD will 
undoubtedly ship quad- 
core processors that 
require DDR2 and lower 
atency in order to exploit 
he advantages of quad- 
cores. So, although it may 
be frivolous to invest in a 
socket AM2 system today, 
we predict that the time is 
coming when the benefits 
will be indisputable. It is 
entirely possible that Intel 
can pull a rabbit out of its 
design hat and trump the 
AMD approach, but we 
don’t see that happening 
yet. That's why we consid- 
er the socket AM2 systems 
as the Ultimate Linux 
Boxes of the future.m™ 


Nicholas Petreley is Editor in Chief of 
Linux Journal and a former program- 
mer, teacher, analyst and consultant 
who has been working with and writing 
about Linux for more than ten years. 
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NetDVD: Building a 
Network-Attached 
Peripheral with Linux 


Use Linux to build your own network-attached peripheral. BRADFORD C. SMITH 


| work in the Molecular Imaging group of Siemens Medical 
Solutions, where my colleagues and | develop and maintain soft- 
ware used to run Positron Emission Tomography (PET) medical 
scanners. These machines generate large amounts of patient data 
that our customers must archive for later retrieval and review, so 
our software allows customers to archive data to tape or Magneto- 
Optical (MO) disk. Using tape is very slow, so archiving to MO disk 
is generally preferred. Unfortunately, during the past few years, 
we've had a lot of problems with the MO hardware sporadically 
corrupting the MO disks, leading to expensive and tedious data 
recovery efforts and several replaced MO drives. 

For many years, our customers have been asking for the ability to 
archive their data to DVD. DVD media is much cheaper than either 
tape or MO, and it can be read by any PC with a DVD drive. This 
would be useful to many of our customers, because there are free 
software tools they can use to read our data files on a PC. Because 
the MO drive vendor appeared unable to resolve our hardware prob- 
lems, we decided the time was right to implement DVD archiving. 


Figure 1. Prototype NetDVD in Casetronic C134 Case 
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Unfortunately, we immediately hit a snag. The control consoles 
for our scanners are Sun UltraSPARC workstations running Solaris 
2.6, Solaris 7 or Solaris 8. Customer hardware ranges from an Ultra 2 
to a Sun Blade 2500. With so many different machines to support, 
we clearly needed an external SCSI DVD burner. But, we couldn't find 
a stable source for such a device, and Solaris 2.6 and Solaris 7 have 
little or no support for DVD burner hardware. 

Because DVD burners are easy to get for x86 hardware and have 
been well supported by Linux for years, we decided the best solution 
would be to use a small Linux box with a high-quality DVD burner to 
do the work of reading and writing the DVDs. This would solve our 
hardware and OS-compatibility problems and make it easier to add 
support for new media types in the future. The Solaris workstations 
would communicate with the DVD reader/writer machine over the 
network, so we named our creation the NetDVD. 


Finding a Vendor and Prototype Hardware 

Because our business is building large medical scanners—not 
computers—the first thing we 
needed was a company to put 
the devices together for us and 
help select the hardware. | did 
Web searches to find appropri- 
ate companies and sent out 
several query letters. Few of 
the companies | contacted 
were interested in our project, 
and most required a guaran- 
teed minimum number of units 
to work with us. We have 
about 700 scanners in the 
field, and it’s likely we'll sell 
NetDVD devices to a few hun- 
dred of those, but | didn’t have 
the authority to make any kind 
of commitment. 

Thankfully, MBX Systems 
was very helpful. Their repre- 
sentative, Ed Jamison, quickly 
suggested some possible hard- 
ware solutions, including one 
using a mini-ITX motherboard 
in the C134 case from 
Casetronic, shown in Figure 1. 
This case is actually a bit small- 


er than the external MO drives we've been using, so it looked like 
the perfect choice. We eagerly ordered one with a 1GHz processor, 
256MB of RAM, a 40GB hard drive and a laptop-size DVD burner. 


Selecting the Linux Distribution 

Once we had the prototype, we had to decide what Linux distribution 
we would put on it. My fellow developer and Linux enthusiast, Dan 
Duckworth, had just been reading about how great this new Ubuntu 
distribution was, so we decided to give it a try. We downloaded the 
Ubuntu 4.10 Warty Warthog CD image, and it installed beautifully. 
Ubuntu is based on Debian, which I’ve been using for several years, so 
| found configuring it very easy to do. It worked so well for us that we 
never even tried another distribution. 


The NetDVD TCP/IP Protocol 

While we were picking out a vendor, hardware and a Linux distribu- 
tion, | was putting a lot of thought into how client machines would 
talk to the NetDVD. The client computer must be able to read a DVD, 
write to a DVD and create a copy of a DVD to provide redundant 
archive backups. To manage this, | decided to combine a custom TCP/IP 
protocol with Network File System (NFS). 

To use a NetDVD, the client machine connects to it using our 
custom NetDVD TCP/IP protocol. If the device is already busy serv- 
ing another client, it will respond with a BUSY error message and 
drop the connection. This ensures that only one client can control 
the device at a time. If the device is not busy, it will send a brief 
message stating the highest version of the NetDVD protocol it 
understands. At the time of this writing, the only version of the 
NetDVD protocol is 0, but we may create new versions of the 
protocol later to add new features. 

If the client connects successfully, it immediately sends an ini- 
tialization command to the NetDVD. This command tells the device 
both the version of the NetDVD protocol the client will use to 
communicate with it and what the client believes the current time 
to be in Universal Coordinated Time. The NetDVD sets its clock 
to match the client, so the machines will be in agreement on 
filesystem timestamps. 

Also during the initialization command, the NetDVD uses NFS to 
export an empty directory on its hard drive with read/write permission 
strictly to the client's IP address. This is a working directory for the 
client to fill with files it wants to write to DVD. It is on a large disk 
partition separate from the operating system, so filling it up will not 
cause the device to misbehave. 

To read a DVD in the NetDVD’s drive, the client sends a mount 
command. This causes the device to mount the media in its drive and 
export it via NFS strictly to the client's IP address. When the client is 
finished reading, it can simply unmount it or unmount and eject it 
using an appropriate command. 

To write files to a DVD, the client first mounts the NetDVD’s work- 
ing directory via NFS and fills it with the files and directories it wants to 
write to the DVD. Once finished, it sends a burn working directory 
command to the device and specifies whether this is supposed to 
be a new DVD or data appended to a DVD written previously. The 
ability to append data was crucial to our use of the device to archive 
data incrementally. 

To copy a DVD in the NetDVD device's drive, the client sends a 
special copy command. The device then copies the directory struc- 
ture on the media to a special directory on the same partition with 
the working directory. Once the copy is done, the client may send 
a burn copy command to the device one or more times to write 
the copied directory tree to as many DVDs as it likes. This method 
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will not make viewable copies of video 
DVDs, because the data on those disks 
must be written in a very specific 
order that we don’t preserve. 


User Control without a 
Keyboard or Monitor 
Although we usually had a monitor 
and keyboard hooked up to the 
NetDVD device during development, it 
is meant to appear to the customer as 
if it were a network-based peripheral, 
like a network printer. Because the 
user cannot type shutdown -h now to 
tell the NetDVD to shut down, it must 
do a clean shutdown when the user 
presses the power button. 
Conveniently, modern motherboards 
supply the Advanced Configuration 
and Power Interface (ACPI). When the 
user presses the power button, the 
motherboard sends a signal to the 
processor. Then the processor is 
responsible for actually shutting the 
computer off. Linux has good support 
for this interface, so all we had to do 
was install the acpid Ubuntu package. 
This package comes already config- 
ured to do a clean shutdown when 
the power button is pressed. 
But, a clean shutdown takes sever- 
al seconds to complete. If the device Figure 2. Second prototype NetDVD in Antec Aria Case 
doesn’t appear to respond immediate- 
ly to the power button press, a user is ——E - : : 
likely to press it repeatedly, maybe aH : ; : - j 
even hold it down for several seconds. | 7 
This is both frustrating for the user _ 
and potentially harmful to the device, 
because holding down the power 
button forces the machine to power 
off immediately before the shutdown 
is complete. 
So, we needed a way to tell the 
user, “| got your message. I’m turning 
off now. Give me a minute.” As the 
NetDVD has no display, the natural 
choice was to beep using its PC 
speaker. For this we used the beep 
program written by Johnathan 
Nightingale. The beep package isn’t 
part of the base Ubuntu installation, 
but it’s still available from Ubuntu’s 
Universe archives. Using this program, 
| wrote some init scripts that would 
make the machine start beeping once 
per second during boot up or shut- 
down and finish with an upward or 
downward arpeggio of beeps, respec- 
tively. This had the added benefit of 
informing the user when the device 
was ready for client connections. 
Unfortunately, it wasn’t quite enough. 


Figure 3. Inside of Case 
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Several seconds still would pass between the user pressing the 
power button and the first beep. To make the NetDVD start beep- 
ing immediately, | edited the shell script responsible for responding 
to the power button press, /etc/acpi/powerbtn.sh, so it invokes my 
beep-start init script immediately before running the shutdown 
command. With this change, the NetDVD starts beeping immedi- 
ately in response to the power button press. 


Handling Network Configuration 
Because the NetDVD device must communicate over a TCP/IP 
network, the user must have some way to tell it what IP address, 
network mask and default router to use. This is a tricky problem, 
because you can’t easily communicate with a machine that doesn’t 
have its network parameters set properly. Thankfully, all machines 
on the same subnet can receive UDP broadcast packets even if 
they aren't configured properly for that subnet. So, | designed a 
simple protocol allowing a client machine to locate and configure 
NetDVD devices on its subnet using UDP broadcast. 

To locate NetDVD devices on its subnet, the client program 
broadcasts a packet asking all NetDVD devices to respond. When 
a NetDVD device sees this packet, it responds by broadcasting its 
Ethernet MAC address and other network parameters to the UDP 
port specified in the request. The client program receives this infor- 
mation and displays it to the user. Users will know which NetDVD 
device they want to configure, because every NetDVD device has a 


drive is also capable of faster burn speeds than the laptop drive we 
were using, which our customers will appreciate. 

Sadly, this meant we couldn't use the little Casetronic C134 
case we loved so much. But, moving to a larger case meant we 
could move to hardware that was less expensive and more stable 
overall. As a result, we got a faster processor, a faster and larger 
hard drive and a Gigabit Ethernet interface. Just as important, we 
reduced the problems we'll have in the future due to obsoleted 
hardware, because desktop hardware generally stays on the 
market much longer than laptop hardware. Because we still were 
trying to minimize the size of the device, Ed recommended the 
Aria case from Antec shown in Figure 2. 

By this time, we were using Ubuntu 5.04 Hoary Hedgehog, 
but when | tried to install it on the new machine, it hung while 
detecting network devices. After a little research, we discovered that 
the SysKonnect SK-98xx Gigabit Ethernet interface on the Intel 
D915GUXLK motherboard we were using wasn’t supported properly 
by the Linux 2.6.10 kernel provided with Ubuntu 5.04. Luckily, a 
kernel patch was available from the manufacturer, so | downloaded 
the kernel source code, applied the patch and rebuilt the kernel. 

That fixed the problem with the Ethernet controller, but the 
kernel also had trouble with the motherboard’s ACPI. This caused a 
lot of boot error messages and prevented the machine from han- 
dling a power button press correctly. To fix this problem, | had to 
upgrade to Linux 2.6.12.2 and apply the Gigabit Ethernet driver 


To reconfigure a NetDVD device on its 
subnet, the client program broadcasts a 
packet containing the target device's 
Ethernet MAC address and the network 
parameters it should use. The target 
NetDVD will reconfigure its network 
parameters and broadcast a response 
back to the client's UDP port. All other 
NetDVD devices ignore the request. 
n order to make this scheme work, 
had to disable the spoofprotect 
Linux kernel feature by changing 
spoofprotect=yes to spoofprotect=no 
in /etc/network/options on the NetDVD 
device. The spoofprotect feature causes 
the kernel to ignore packets that come 
from the local subnet but appear to 
come from an invalid IP address for that 
subnet. If we left this feature enabled, 
a NetDVD with incorrect network param- 
eters would ignore the UDP packets 
intended to correct them. 


label displaying its Ethernet MAC address. 


Royalty Free 


Hardware and OS Problems 
Once we got things working and started 
really exercising our prototype, we began 
having problems with burn failures. After 
discussing the issue with Ed Jamison at 
MBX, we decided the problem was the 
laptop-size DVD burner. Due to their 
small size, these burners have more relia- 
bility problems than the full-size drives. 
He recommended switching to a Plextor 
PX-716A 16x Double Layer DVD+RW/-RW 
drive. Plextor has a reputation for making 
extremely reliable DVD burners, and this 
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patch to that. This was difficult to get right, because Ubuntu didn’t 
have a package for that version of the kernel. | had to do a lot of 
experimentation with kernel parameters before | was sure | had all 
of the kernel features that Ubuntu relied upon. 

Once the kernel problems were settled and we had the 
machine functioning as a NetDVD, we discovered another problem. 
The DVD burns actually were taking longer than they had with the 
original hardware, and the DVD activity light showed that the drive 
was frequently idle during the burn. The Ubuntu installation had 
not enabled Direct Memory Access (DMA) for the drive, so the 
drive wasn't getting data fast enough. Once we corrected this, the 
burns came up to the speed we had expected. It’s really a tribute 
to the quality of the Plextor DVD drive that it successfully burned 
several DVDs even when it was starved for data. 

When Ubuntu 5.10 Breezy Badger came out, | was pleased to 
find it corrected all of the problems that required a custom kernel 
build, but it introduced another problem | had no idea how to 
correct. In Ubuntu 5.10, exportfs fails sporadically, though it 
always exits with a O status. This isn’t much of a problem for 
static exports, but as all of our exports are dynamic, it’s a serious 
problem for us. So, we had to go back to Ubuntu 5.04. 


bo NDEPTH 


Conclusion 

In our testing, we've seen only one failure in hundreds of burns 
since moving to the new hardware, so we're confident that the 
NetDVD will be the stable archiving solution we need. As | write 
this, we are on the brink of installing NetDVD devices at two very 
enthusiastic beta sites. They've seen how it works already, and 
based on their reactions, | think we'll have a lot of NetDVD orders 
once it’s officially released. 

It has taken us about 15 months to reach this point, but most 
of that time was spent working on software that goes on our 
Solaris workstations and other things not related to the NetDVD. 
I'm extremely grateful to Ariel King and Dan Duckworth for their 
excellent work developing the new DVD archiving software for our 
workstations. That software was actually much harder to get right. 
| don't think we spent more than three developer-months working 
on the NetDVD device itself. Using Linux and other open-source 
software made that the easy part.m 


Resources for this article: www.linuxjournal.com/article/9071. 


Bradford C. Smith is a software developer in the Molecular Imaging division of Siemens Medical Solutions USA, Inc. He has been working with Linux and loving it since 1996, and he has been known to 
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Developing P2P 


Protocols across NAT 


Hole punching is a possible solution to solving the NAT problem for P2P protocols. 


GIRISH VENKATACHALAM 


Network address translators (NATs) are something every software 
engineer has heard of, not to mention networking professionals. NAT 
has become as ubiquitous as the Cisco router in networking terms. 

Fundamentally, a NAT device allows multiple machines to 
communicate with the Internet using a single globally unique IP 
address, effectively solving the scarce IPv4 address space problem. 
Though not a long-term solution, as originally envisaged in 1994, 
for better or worse, NAT technology is here to stay, even when 
IPv6 addresses become common. This is partly because IPv6 has to 
coexist with IPv4, and one of the ways to achieve that is by using 
NAT technology. 

This article is not so much a description of how a NAT works. There 
already is an excellent article on this subject by Geoff Huston (see the 
on-line Resources). It is quite comprehensive, though plenty of other 
resources are available on the Internet as well. 

This article discusses a possible solution to solving the NAT problem 
for P2P protocols. 


What Is Wrong with NAT? 

NAT breaks the Internet more than it makes it. | may sound harsh here, 
but ask any peer-to-peer application developer, especially the VoIP 
folks, and they will tell you why. 

For instance, you never can do Web hosting behind a NAT device. 
At least, not without sufficient tweaking. Not only that, you cannot 
run any service such as FTP or rsync or any public service through a 
NAT device. This can be solved by obtaining a globally unique IP 
address and configuring the NAT device to bypass traffic originating 
from that particular IP. 

But, the particularly hairy issue with NATed IP addresses is that 
you can't access machines behind a NAT, simply because you won't 
even know that a NAT exists in between. By and large, NAT is 
designed to be transparent, and it remains so. Even if you know 
there is a NAT device, NAT will let traffic reach the appropriate 
private IP only if there is mapping between the private IP/TCP 
or UDP port number with the NAT’s public IP/TCP or UDP port 
number. And, this mapping is created only when traffic originates 
from the private IP to the Internet—not vice versa. 

To make things more complicated, NAT simply drops all unsolicited 
traffic coming from the Internet to the private hosts. Though this fea- 
ture arguably adds a certain degree of security through obscurity, it 
creates more problems than it solves, at least from the perspective of 
the future of the Internet. 

At least 50% of the most commonly used networking applications 
use peer-to-peer technology. Common examples include instant mes- 
saging protocols, VoIP applications, such as Skype, and the BitTorrent 
download accelerator. In fact, peer-to-peer traffic is only going to 
increase as time progresses, because the Internet has a lot more to 
offer beyond the traditional client/server paradigm. 

Peer-to-peer technology, by definition, is a mesh network as 
opposed to a star network in a client/server model. In a peer-to-peer 
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network, all nodes act simultaneously as client and server. This already 
leads to programming complexity, and peer-to-peer nodes also have to 
deal somehow with the problematic NAT devices in between. 

To make things even more difficult for P2P application developers, 
there is no standardized NAT behavior. Different NAT devices behave 
differently. But, the silver lining is that a large portion of the NAT 
devices in existence today still behave sensibly enough at least to let 
peer-to-peer UDP traffic pass through. 

Sending TCP traffic across a NAT device also has met with 
success, though you may not be as lucky as with UDP. In this 
article, we focus purely on UDP, because TCP NAT traversal still 
remains rather tricky. UDP NAT traversal also is not completely 
reliable across all NAT devices, but things are very encouraging 
now and will continue to get better as NAT vendors wake up to 
the need for supporting P2P protocols. 

Incidentally, voice traffic is better handled by UDP, so that suits us 
fine. Now that we have a fairly good idea of the problem we are trying 
to solve, let's get down to the solution. 


Anatomy of the Solution 

The key to the NAT puzzle lies in the fact that in order for 
machines behind a NAT gateway to interact with the public 
Internet, NAT devices necessarily have to allow inbound traffic— 
that is, replies to requests originating from behind the NAT device. 
In other words, NAT devices let traffic through to a particular host 
behind a NAT device, provided the traffic is indeed a reply to a 
request sent by the NAT device. Now, as mentioned above, NAT 
devices vary widely in operation, and they let through replies 
coming from other hosts and port numbers, depending on their 
own notion of what a reply means. 

Our job is simple if we understand this much—that instead of 
connecting directly to the host behind NAT, we somehow need to 
mimic a scenario in which the target host originates a connection to us 
and then we connect to it as though we are responding to the request. 
In other words, our connection request to the target host should seem 
like a reply to the NAT device. 

It turns out that this technique is easy to achieve using a method 
now widely known as UDP hole punching. Contrary to what the name 
suggests, this does not leave a gaping security hole or anything of the 
sort; it is simply a perfectly sensible and effective way to solve the NAT 
problem for peer-to-peer protocols. 

In a nutshell, what UDP hole punching does already has been 
explained. Now if it were only that, life would be too simple, and you 
would not be reading this article. As it turns out, there are plenty of 
obstacles on the way, but none of them are too complicated. 

First is the issue of how to get the private host to originate 
traffic so we can send our connection request to it masquerading 
as a reply. To make things worse, NAT devices also have an idle 
timer, typically of around 60 seconds, such that they stop waiting 
for replies once a request originates and no reply comes within 60 


seconds. So, it is not enough that the private host originate traffic, 
but also we have to act fast—we have to send the “reply” before 
the NAT device removes the “association” with the private host, 
which will frustrate our connection attempt. 

Now, a reply obviously has to come from the original machine 
to which the request was sent. This suits us fine if we are not 
behind another NAT device. So, if we want to talk to a private 
IP, we make the private IP send a packet to us, and we send our 
connection request as a reply to it. But, how do we inform the 
private IP to send a packet to us when we want to talk to it? 

If both the peer-to-peer hosts are behind different NAT devices, 
is it possible at all to communicate with each other? Fortunately, it 
is possible. 

It turns out that NAT devices are somewhat forgiving, and they 
differ in their levels of leniency when it comes to interpreting what 
they consider as reply to a request. There are different varieties of 
NAT behavior: 


1. Full cone NAT 

2. Restricted cone NAT 
3. Restricted port NAT 
4. Symmetric NAT 


| won't go into the details and definitions of these here, as there 
are numerous resources explaining them elsewhere. Symmetric NATs 
are the most formidable enemy for P2P applications. However, with a 
degree of cleverness, we can reasonably “guess” the symmetric NAT 
behavior and deal with it—well, not all symmetric NATs, but many of 
them can be tamed to allow P2P protocols. 

First, how do we tell the private IP that we are interested in 
connecting to it at a particular instance? 


Implementation Details of the UDP 

Hole Punching Technique 

This problem can be solved by joining the problem, rather than fight- 
ing it head on. In order to achieve peer-to-peer traffic across NATs, we 
have to modify our P2P mesh model slightly to make it a hybrid of a 
traditional star model and modern mesh model. 

So, we introduce the concept of a rendezvous server, or mediator 
server, which listens on a globally routable IP address. Almost all peer- 
to-peer protocols have traditionally relied on certain supernodes, or 
in other words, in P2P, all nodes are equal but some are more equal. 
Some nodes always have acted as key players in any P2P protocol. If 
you have heard of a BitTorrent tracker, you know what | mean. 

A rendezvous concept is nothing new in the P2P world, nor is the 
star model totally done away with in P2P. 

Coming back to our original NAT problem, private IPs obviously can 
browse the Internet through NAT devices, and thus they can talk HTTP 
through port 80 or through a proxy HTTP port over TCP. So private 
IPs can almost always open TCP connections to global IP addresses. 
We use this fact to make the private IP connect to a mediator or 
rendezvous server through TCP. 

Our solution relies on the fact that all the P2P nodes are constantly 
in touch with a rendezvous server, listening on a global IP address 
through a persistent TCP connection. Remember that P2P nodes are 
both client and server at the same time, so they can originate connec- 
tions as well as serve connection requests simultaneously. 

It is through this TCP connection that we inform a particular P2P 
node that another node wants to talk to it. Then, the target node 
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sends a request following which the peer sends the connection 
request as a response to the request. 

Because the private machines behind a NAT device do not have a 
routable IP address, the only way for us to access them from outside 
the NAT device is through the mapping that the NAT device maintains 
for the machine to talk to the external world. For each connection 
originated from the private IP, a unique port is assigned at the NAT 
device. For us to talk to the private IP. we have to send our packets to 
that particular port assigned for the private IP’s connection to the 
external world. Now, we know that there is no notion of connection in 
the UDP world, so NAT assumes that if a reply doesn’t come for a UDP 
request in about 60 seconds, the connection is deemed non-existent 
and closed. 

So now we have another problem—that of determining the port 
assigned at the NAT's public interface for the private IP connection. 
This can be inferred by inspecting the source address of the UDP 
datagram that reaches any global IP. 

So far so good. If we are not behind NAT, we can use the previously 
mentioned technique to initiate communication with a private IP using 
the rendezvous server. 

However, reality tells us that P2P peers are more likely to be behind 
a NAT than otherwise. So, this solution is not enough. We want to 
initiate a P2P connection from behind a NAT device ourselves. So, now 
we have two NAT devices in the picture, one behind each P2P node. 

Now the real fun begins. First, let’s redefine our goal in the light of 
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this new twist to the problem and attack it step by step. What we 
want to do now is use the rendezvous server and inform the target 
P2P node to send us a request, but we are behind a NAT. 

So, for any external party to talk to us, we should have a global 
IP/port combo that exists at the NAT public interface. First we have to 
create one for ourselves. Only then we can receive communication 
requests coming from outside the NAT network. 

We can create a mapping for us by sending a packet to a 
global IP. The global IP can then figure out our mapping by 
inspecting the from address. But how do we inform our P2P node 
of this address? For that we can use the TCP connection with the 
rendezvous machine. But, only the global IP to which we send the 
packet knows our association, so how do we figure that out? It's 
simple. The global IP can send that information to us as a reply in 
the packet payload to us. 

Assuming that we somehow obtain a public IP port pair and figure 
that out, we tell the mediator that we are listening at that public 
IP/port pair and request the P2P target node to initiate a request to us. 
Subsequently, we can connect to it as a reply to that message. 

But, then we cannot receive packets from the P2P target node, 
because NAT is not expecting a reply from that global IP. In fact, some 
NATs that show full cone behavior allow packets to come from any IP, 
but most NATs do not—back to square one. 

Consider this: if both P2P nodes behind the NAT send packets to 
each other's public IP/port, the first packet from each party is discarded 
because it was unsolicited. But subsequent packets are let through 
because NAT thinks the packets are replies to our original request. And 
voila, the hole is punched, and UDP traffic can pass through directly 
between the P2P nodes. 

Unfortunately, NATs also differ in their behavior of assigning public 
ports for different destination IPs. Most NAT devices fortunately do not 
change public ports between requests to different destination IPs, so 
we can safely assume that. 

So first we send certain probe or discovery packets to two different 
IPs and figure out the behavior of the NAT. If it is found to be consis- 
tent, our approach will work. In the unlikely case that we bump into 
symmetric NAT behavior that varies the port between requests, we can 
figure out the delta by which the port number varies. And, using this 
we can guess the port assigned for a particular request. 

The reason we are so particular about this is because the first packet 
to our P2P destination behind NAT is dropped by NAT. So, all we can 
do is guess. In practice, however, it works fairly well. This is why it is 
important that the P2P nodes keep the source and the destination 
ports the same for communication. 

Once this hole punching procedure is performed, the two P2P 
nodes can communicate with each other without the help of the 
rendezvous machine. So the rendezvous machine is useful only for 
informing a P2P node about an incoming connection and informing 
each of the communicating peers about each other's public addresses. 
Subsequently, the communication happens directly without the 
intervention of the rendezvous server. 

Now we have to apply some ingenuity and introduce appropriate 
headers in the packets to inform the peer whether it is sending 
a reply meant for the P2P client or whether it is sending a request 
meant for the P2P server. Once we are able to differentiate between 
the two, we are set. We also need to differentiate between hole 
punching traffic and regular traffic, because hole punching traffic 
needs to be bounced, and regular traffic needs to be processed. 

Of course, if we stop sending and receiving, the association at the 
NAT device at both ends will expire. So we either can send keepalive 
traffic or rerun the hole punching technique. You can choose whichev- 
er technique is suitable depending upon your needs. 


This technique will not work if both the P2P nodes are behind the 
same NAT device. So, we also have to figure out whether we can com- 


municate directly using the private IP address itself. Thus, our hole 
punching has to try the private interface along with the peer's public 
interface. And, it can happen that our private network has the same 


private IP as the 


spurious responses. 


peer’s private IP. So we have to guard against getting 


It also can happen that another P2P node in the same private net- 
work as ours has the same private IP as the P2P node we want to talk 
to in another private network. Then we have to do additional valida- 
tion against the peer’s identity to make sure we really are talking 


to the interested node. 
ely case that you run into brain-damaged NAT 


In the uni 
devices at both 
we should be a 


ends, this technique obviously will fail, because 
ble to predict the public address assigned to us. In 


that situation, the only way is to make the rendezvous server act 


as a relay for the traffic. So peer-to-peer traffic goes 


hrough, but 


it is no longer peer to peer with the rendezvous machine acting 
as server. If you run into such situations, you need to think of 


implementing t 


hat as well. 


Now, for the Real Dope, the C Code 
for Achieving the above 
Due to their long length, the listings for this article are located on 
the Linux Journal FTP site at ftp.ssc.com/pub/Ij/listings/issue148/ 
9004.tgz. | leave out unnecessary detail and glue code and focus 
purely on the nontrivial aspects of UDP hole punching. 

If you need more information on implementing your own hole 
punching library, you always can refer to the above design constraints 


and design a so 
Please note 
discovery techn 


ution appropriately. 
that | have consciously left out the rfcs and NAT 
iques, such as STUN and frameworks like ICE. UDP 


hole punching is already complicated, and we don’t gain anything 

by making it even more bloated without adding any real value. So, 
the technique as it stands works as good or even better than other 
NAT traversal mechanisms. 


First, take a 


ook at the rendezvous code (Listing 1). Note that we 


use select() to serve multiple sockets. We could as well use kqueue() 


on *BSD, or be 


ter, use the libevent abstraction (see Resources). But, 


| stuck to select 
us. We talk to t 


) because performance doesn’t matter so much to 
he mediator server only for establishing peer-to-peer 


connections, not otherwise. 

The hole punching implementation is given in Listing 2 and the P2P 
client in Listing 3. 

Using this method, you should be able to develop your own 
peer-to-peer protocol. You easily can develop your own instant 


messaging protoco 


along with some GUI code. You can transfer 


files either using nc or using code for that directly. You can develop 
certain applications, such as transferring voice via a microphone 


and speaker. In 


application with this. 


other words, you can develop a hobby VoIP 


Several possibilities exist. You can add some reliability on top of 


UDP in case you 


One very useful 


are paranoid about your data reaching you safely. 
ool that helped me immensely in this endeavor 


is the Network Swiss-Army knife, netcat. 
You can see hole punching in action by using this simple 
command. At each end, type: 


$ nc -u -p 17000 <peer public IP> 17000 


With only th 


e peer public IP different, you can start communicating 


if you are lucky, because most NAT devices try to assign the same 


private port as the public port. 
If you want to test TCP hole punching, try this: 


$nc -1 -p 17000 

at one end and this: 

$nc -p 17000 <peer public IP> 17000 
at the other end. 


Future Work 

Rather than having one rendezvous server, you can have a few of them 
for failover and geographical distribution. However, if you are behind 
two levels of NAT, sometimes this may not work. You also could listen 
on multiple virtual and real interfaces and attempt hole punching 
on all of them. You can add TCP hole punching on similar lines 
and try that first, and then attempt UDP hole punching.= 


Resources for this article: www.linuxjournal.com/article/9072. 


Girish Venkatachalam loves to play with open-source operating systems, such as OpenBSD, 
FreeBSD and Debian GNU/Linux. He also likes to go cycling when not hacking. He can be contacted 
at girish1729 @gmail.com. 
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Mobile Phones: 


the 


Embedded Linux Challenge 


An overview of the suitablilty, viability and liability of Linux on mobile phones. BILL WEINBERG 


Although mobile handset manufacturers are embracing Linux as 
an emerging platform for next-generation smart phones, development 
and deployment of those devices still face key technical challenges. In 
particular, mobile phone OEMs must deliver devices with power man- 
agement, fast boot up, integrated radio (GPRS) interfaces, advanced 
multimedia capabilities, attractive small form-factor GUls and 
differentiated PIM application sets (browser, phone book and so 
forth)—all integrated and running in a modest memory footprint. 
This is a particular challenge for embedded Linux developers because, 
unlike PCs, phones aren’t built to a standard architecture. 

This article examines various technical challenges that face developers 
of Linux-based mobile phones. It addresses availability and maturity 
of key enabling Linux capabilities and also of open-source projects 
that support phone application development. In addition, it discusses 
technical and economic challenges presented by the stringent and 
numerous requirements of mobile network operators. 


Linux and the Mobile Phone Marketplace 

The global mobile phone market is growing at an explosive pace. 
Industry analysts at IDC report that in Q2/2005, the handset market 
grew 34%, as almost 700 million handsets made their way from device 
OEMs into people's hands and onto the global voice and data net- 
works. Analysts at Gartner predict that by 2009, the global installed 
base will number more than 2.6 billion mobile phones. 

For the Linux-centric segment of the IT industry, these numbers are 
tantalizing—orders of magnitude greater than total Linux shipments 
and installed base for servers, and far greater in volume than the 
worldwide desktop market. As such, the mobile phone market repre- 
sents both an opportunity to “break out", reaching significant market 


Table 1. Mobile Phone Market Tiers 


Tier Price Point Capabilities 


$200 US and up 


Top Tier 
“Smart Phone” 


Mid Tier $49-$199 US Telephony, messaging, limited Internet, 
“Feature/Enhanced” (usually subsidized color display, games, voice dialing 

Phone by subscription) 

Low Tier $0-$49 US Basic telephony, phone book, text messaging 


“Entry/Basic” Phone (often free 


with subscription) 
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Telephony, often Wi-Fi/VoIP, full e-mail and 
browsing, multimedia (MP3, video), SMS/MMS, 
games and voice commands 


share in client devices and to complement the already significant pres- 
ence of Linux in the communications infrastructure (based on carrier 
grade and other versions of enterprise and embedded Linux). 


Why and Whither Linux? 

In the past few years, Linux has made significant gains as a mobile 
phone platform OS. Device manufacturers LG, Motorola, NEC, 
Panasonic and Samsung today ship two-dozen smart phone models 
based on Linux, complemented by Chinese brands like Datang, e28, 
Haier, Huawei and ZTE. Nokia and others also are beginning to ship 
Linux-based wireless VoIP clients. 

Device OEMs, large and small, are choosing Linux as the strategic 
platform for their smart phones for a mix of technical and economic 
reasons. On the technical side, OEMs look to Linux for performance, 
robustness, “gold standard” TCP/IP networking (especially routing) and 
flexibility. On the economic front, Linux offers OEMs lower develop- 
ment and deployment costs, more choice of vendors (including “roll 
your own”), a larger open and commercial technology ecosystem, and 
an opportunity to unify the divergent and costly product lines and 
engineering efforts needed to support multiple product tiers (smart 
phones, feature phones and entry-level devices), network types (GSM, 
CDMA, analog and Wi-Fi) and carrier requirements. 

For all of these strong technical and economic benefits, Linux 
phones account today for between 1-2% of the total market. On 
smart phones, the fastest-growing segment, Linux enjoys a stronger 
position. Smart phone share is growing at 85% per year, and Linux 
owns 25% of the smart phone segment (Q2/2005 Gartner), far ahead 
of Windows Mobile and others, but behind SymbianOS by a factor of 
two or more. 


ARM9, ARM11 SymbianOS, Linux, 
WindowsMobile, 


PalmOS, RIM 


ARM7, ARMQ, 
some SH, M32/M100 


Nucleus, older 
SymbianOS, Brew/REX 


ARM7, legacy 
regional CPUs 


Legacy RTOS 
(Nucleus, iTRON, etc.) 


Figure 1. Mobile Phone Segment Shares (Gartner Q2/2005) 


Pick Your Phone 

Categorizing phone types is not an exact science, nor even an exacting 
marketing exercise. Features that once differentiated phones strongly 
(like e-mail or imaging) are now commonplace across tiers and price 
ranges. Moreover, what is smart today may be a common feature in 
six months. Feature phones for which you pay good money at the 
holidays can end up as entry-level giveaways toward the end of their 
market lifetime the following spring and summer. 


The Smart Phone Trap 

Although delivering Linux-based smart phones is no mean feat, it is still 
easier and more viable than putting the open-source OS on lower-tier 
phones. Why? Because smart phones, with higher prices and more 
ample margins, have more room in the BOM (Bill of Materials)—room 
for hardware dedicated to key phone functions (multimedia, display 
control, baseband RF and so on) and for software to enable that hard- 
ware. Often the application OS (Linux, Windows Mobile and so on) 
runs on a dedicated application processor, with additional CPU and 
DSP cores handling voice, multimedia and RF functions. Smart phone 
buyers are also typically early adopters, eager for the latest technology 
and more tolerant of some marginal behaviors, especially of shorter 
battery life in technology-rich devices. 

Smart phones, however, represent only about 6% of the total 
phone market. If the Linux industry and developer communities want 
truly ubiquitous phone-based deployment, a Linux phone platform also 
must be able to support the technical and economic requirements of 
the broader middle tier or feature phone space. These handsets don’t 
sport all the technical goodies of smart phones, and the underlying 
hardware doesn’t come with all the support hardware either. A cost-down 
BOM means that Linux on the application CPU is directly exposed to 
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the vagaries of software support for voice, data, RF and graphics. Place 
that burden on a single CPU running between 0-200MHz as needed 
for energy management, in a much more modest memory footprint, 
and Linux can't make the middle tier cut. 

Social projects aimed at bridging the digital divide also envision 
open-source phones for low-income populations in developing 
countries (think tiny Ubuntu). But just as the $100 desktop is 
proving elusive, so likely will the free Linux-based cell phone. 

Over time, the specs for middle- and even low-tier phones 
might rise to meet Linux base capabilities, but margins also get 
much thinner on these same devices. Battery technology is not 
improving at an appreciable rate, meaning that applications can't 
make up the difference with faster clocks either. So, if Linux is 
going to break out of the smart phone trap, it must acquire a 
series of new capabilities and enhance and unify many existing 
ones to meet the challenge. 


Technical Challenges 

OSDL kicked off a new initiative (see the OSDL MLI sidebar) to foster 
Linux adoption on mobile telephony handsets. As its first order of 
business, MLI is cataloging gaps and requirements to make Linux a 
more apt phone platform OS. The following list and discussion is repre- 
sentative of input from MLI participants and other interested parties, 
especially handset manufacturers and phone silicon suppliers. 


Power Management 
Today, if a portable device manufacturer wants to offer a Linux-based 
and power-managed device, he or she faces a boggling choice among 
variously divergent paradigms (Table 2). 

OEMs can look to the desktop where notebook-centric schemes 
like ACPI and APM dominate, and indeed occupy most discussions of 
Linux power management on the kernel mailing list. For non-x86/IA-32 
notebook hardware, OEMs can turn to PMU for Apple PowerPC hard- 
ware. Embedded OEMs deploying ARM-licensed silicon can leverage 
the ARM Ltd. IEM framework, or work with the various power 


management schemes present on silicon from dozens of ARM licensees 
(FreeScale, Intel, NEC, Samsung, Tl and others). There also exist unique 
and further divergent energy conservation protocols from MIPS and 
MIPS licensees, from FreeScale for its CPU lines, from IBM for Power 
Architecture, from Renesas and Hitachi, and so on across the silicon 
supplier universe. OEMs also can choose schemes like MontaVista’s 
DPM and other embedded Linux supplier solutions. 

Although choice is a good thing, too much choice can lead to 
fragmentation. In response to this power management smorgasbord, 
members of OSDL MLI and other embedded industry consortia 
have expressed a desire to see either a unified cross-processor 
power and energy management scheme, or a mainstream high-level 
“umbrella” that covers embedded, desktop and even blade-based 
thermal management. 


Radio Interface 

Motorola has been building radio sets for nearly a century. They and 
other handset manufacturers like NEC, Nokia and Panasonic leverage 
their hard-won RF know-how to build their popular phone product 
lines. New entrants and also new designs from existing suppliers, 
however, must overcome a range of designs challenges before they 
can build handsets that meet the requirements of carriers, operators 
and regulators, and do so cost effectively. 

In today’s crop of Linux-based smart phones, the GPRS interface 
resides in an encapsulated “modem” device that can contain an 
additional CPU core, a DSP and RF hardware to support wireless 
communications. It really behaves like a modem—many smart 
phones communicate with these embedded processors via AT 
modem commands over a dedicated serial port. Offloading the 
radio function makes it easier to build a smart phone, but it 
impacts costs by adding components to an already heavy BOM. 

Some experimental designs today remove the modem and expose 
the baseband interface to the application OS (as with Nucleus in mid- 
and low-tier phones), but doing so exposes Linux to hard real-time 
requirements that stretch beyond the limits of recent advances in Linux 
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Power Management 
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Very BIOS-dependent. 
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ARM Ltd. Power management scheme for ARM core licensees with dynamic voltage and frequency scaling (compatible with but 


real-time (preemption and open-source real time—see below). GSM 
and also CDMA wireless protocols predicate signal frame times in the 
800-900 microsecond range. For x86/IA-32 and PowerPC processors 
with 500MHz-1.5GHz CPU clocks, submillisecond worst-case 
response is now commonplace, but with clock-scaled ARM processors 
running at O-200MHz, hard real-time interrupt response and 
preemption are still marginal. 

A separate challenge arises from the use of legacy telephony stacks 
ported “as is” to Linux. This software was written and optimized for 
legacy phone OSes like Nucleus and REX. These proprietary multilayer 
stacks were implemented with unique thread contexts for each layer, 
and when ported to Linux can exhibit 20-30 microsecond context 
switch latencies layer to layer. As such, just traversing the stack with a 
single packet can consume a large portion of available compute time, 
leaving few CPU cycles for other tasks. 

f Linux is going to participate in cost-down mid- and low-tier 
phone designs, it will need both more spritely context switching and/or 
optimized and open native ports of key GPRS and CDMA protocol 
implementations. 


Real Time 

During the past five years, Linux has progressed toward offering signifi- 
cant native real-time responsiveness. Today, Linux is replete with native 
real-time options, including capabilities like the preemptible kernel, 

O(1) scheduler, FUTEXes and the recent Open Source Real-Time Linux 


Project (now merged into preemption patches maintained by Ingo 
Molnar—see the on-line Resources). There also exist dual kernel and 
virtualization technologies like RTLinux, RTAI, Adeos and proprietary 
Jaluna OSware that offer RTOS-like responsiveness by virtue of 
embedding an actual RTOS into the Linux stack. 

OSDL MLI members and others in the community would prefer to 
see native Linux solutions do real-time response. For exposed RF inter- 
faces, and time-sensitive and QoS capabilities like multimedia and voice 
processing, the consensus is that Linux needs continual nudging in the 
direction of native RTOS-like responsiveness. In mobile designs, Linux 
must meet deadlines and switch context with agility in systems whose 
clocks can scale erratically to conserve battery power, jumping from 
200MHz peak performance down to 40MHz (or even OMHz) and back 
in response to system policies and peripheral inputs. 


Small Footprint 
Today’s smart phones can ship with 128MB of Flash and 64MB of 
RAM. However, a phone OS need not seek to occupy every last byte of 
available storage. Every byte used by the OS and middleware is a byte 
not available to OEMs for value-added content. On the plus side, 
embedded Linux can theoretically deploy in a footprint of 1MB or less; 
real phone configurations are much larger. 

Embedded developers, platform providers and maintainers of the 
Linux kernel itself provide a range of configurations and tools to shrink 
the platform footprint: 
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@ Linux Tiny: this build option/patch set was introduced during 
2.6 and results in otherwise mainstream kernels with footprints 
well under 2MB. Linux Tiny also features other space-saving 
patches, like SLOB, a space-efficient replacement for the SLAB 
allocator; tools for tracking memory allocation, counting in-line 
function use and for comparing function sizes across builds; 
and kgdb configurations for systems without serial ports 
(see Resources). 


m ARM Thumb and MIPS16: embedded CPU architectures like 
ARM and MIPS offer special execution modes and small word 
instruction sets that shrink application size by generating and 
executing smaller code and data. These methods and modes are 
best employed to shrink user-space code, but in doing so 
require special mode/size-specific library and system call versions 
to accommodate 8/16-bit instructions and operands where stan- 
dard implementations expect a full 32 bits. More recently, sili- 
con suppliers and maintainers of appropriate architecture trees 
of the Linux kernel have begun building and maintaining special 
versions of their trees to accommodate these hyper-efficient 
execution modes. Even if mainstream kernel builds do support 
such execution modes, such support will likely be all or nothing, 
making it difficult or impossible to support mixed mode systems 
and integration of prebuilt (binary) third-party code. To learn 
more about ARM Thumb or MIPS16, see Resources. 


m XIP—Execute in Place: if you have truly parsimonious RAM 
requirements and can spare a little Flash (and perhaps more per- 


formance), you can configure th 


e Linux kernel and/or individual 


applications to run directly out of Flash. Instead of copying com- 


pressed images from NOR Flash 


exist several schemes to support 


(or other types of ROM), there 
execution of uncompressed 


program images directly in place (XIP). Note that because Flash 


access cycles are usually slower 
programs can run much more s 


than those for DRAM, XIP 
owly than with RAM-based exe- 
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cution; although, kernel XIP can be used to speed up boot time 
by removing the need to copy and decompress the kernel image 
to RAM. To learn more about about User Space XIP with CramFS 
and on raw NOR Flash kernel XIP, see Resources. 


Other Ways to Shrink the Kit 

There are myriad methods, tips and tricks for reducing the user-space 
memory burden. These include using uClibc instead of glibc as a stan- 
dard library, deploying BusyBox and TinyLogin instead of standard 
shells and multiple utilities, and using compressed filesystems like 
CramFS and YAFFS. 


Carrier and Operator Requirements 

Phone manufacturers, however innovative they wish to be, cannot 
simply build the phone of your dreams—or of theirs. Rather, they 
must respond to the expansive and exacting requirements presented 
to them by their customers, the mobile carriers and operators 
(think Cingular, Vodaphone and others), predicated by the networks 
those companies build and maintain, which are highly regulated 
by national governments and even some international bodies. 
These requirements come in the form of phonebook-sized tomes, 
comprising 5,000 or more distinct specifications, and many of 
these specs are themselves highly complex and multifaceted. 


The Once and Future Open Phone 
Governments, especially the US Government, jealously guard 
their control of the electromagnetic spectrum. The US Federal 
Communications Commission (FCC) auctions and doles out grants 
of radio spectrum use and has very particular ideas about band- 
width, signal strength, security and as we've (re)learned in the 
last six years, about content on the “public” airways. Other 
governments and regulatory bodies around the world are similarly 
disposed toward open and free uses of radio frequencies. Devices 
that do not conform to these (overlapping) regulations and do not 
pass regulatory muster (homologation) do not earn approval and 
are not licensed for sale. Violations carry nasty fines and even 
criminal penalties. 
Mobile carriers and operators, in response to these regulatory 
regimens, are understandably reluctant to experiment with open 
device architectures. Ditto for their suppliers, at least on the “thin” 
end of the wire (carrier-grade Linux and other implementations are 
today powering a growing share of wireless infrastructure). Carriers 
and operators are not completely averse to openness, but tend to 
think only in terms of secure delivery of value-added services. By 
establishing careful sandbox environments and limiting API sets on 
the technical end, and by even more careful political negotiations, 
the chain of manufacturing, deployment and regulation have 
begun to crack the lid on otherwise closed handsets. As such, 
mobile phone users and market watchers have seen a handful of 
“can openers” emerge during the last five years, principally Mid-P 
Java and BREW, with mixed results, especially in performance. 
More recently, a slew of native applications has emerged for 


phones based on SymbianOS and on Windows Mobile 5.0. 
Linux-based phones offer up the promise of further prying 
open the clamshell by leveraging the OS to provide a secure appli- 

cation programming environment (in user space); it also comes 
with a well-established community of skilled developers. Whether 
Linux-based handsets will be truly open platforms, remains an 
open question. Phone deployed so far, although based on a Linux 
kernel and many familiar OSS components (like versions of Qt), are 
by no means open devices. Hackers cannot (easily or at all) rebuild 
the kernel, OS and application components, or even add function- 
ality to the stack. These devices are not designed to accept logins, 
let alone reflashing. The “can opener” for these Linux-based 
mobile devices, like those based on proprietary OSes, is Java, 

even if you can download source code for the OS and portions 

of the application stack. 

There do exist after-market resources to support hacking Linux- 
based phones. One such project is Harald Welte’s Open-EZX (see 
Resources). This project, still in its early stages, strives to build a 
100% open phone stack for Motorola mobile phones like the 
A780 and e680. The project's wiki is replete with warnings about 
rendering your phone unbootable and losing regulatory approval, 


OSDL MLI 


but also with useful information on how to get a shell and how to 
cross compile for these devices (they're based on Intel XScale 
Architecture PXA processors). 

Motorola's chief phone architect definitively disavowed support 
for such efforts. Why? Principally, liability issues stemming from its 
customers’ concerns for the integrity and security of their mobile 
networks and the complex burden of supporting millions of 
devices with potentially divergent versions of the Open-EZX soft- 
ware stack. Then why call it Open-EZX? Because device OEMs 
like Motorola do want to encourage the evolution of developer 
communities around their devices and platforms. They just need to 
foster that evolution in a way that is amenable to carrier, operator 
and regulatory sensibilities. Today, that means offering SDKs to 
hand-picked ISVs. 

Hopefully soon, through educational efforts and persistence, this 
very conservative and careful audience of network operators and 
government regulators will be more comfortable with mobile phones 
as computing platforms, not mere mono-function radio devices.m™ 


Resources for this article: www.linuxjournal.com/article/9073. 


Bill Weinberg brings more than 18 years of open systems, embedded and other IT experience to his role 
as Open Source Architecture Specialist and Linux Evangelist at the Open Source Development Labs, 
where he participates in OSDL initiatives for carrier-grade, data center and desktop Linux. 
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Postscripts on the 
Ultimate Linux Boxes 


Some final words on the Ultimate Linux Boxes, including a contender for the Ultimate Notebook. 


Nick Petreley, Editor in Chief 


It's too bad we didn’t get enough note- 
book computers to choose an Ultimate 


Notebook this year, particularly because so 
many people have problems installing and 
using Linux on many notebook computers. 


If it is any consolation to you, I’ve had 
great success with my ABS Mayhem G4 
A78 notebook (www.abs.com). It has 


been replaced by the G4 Revolution since | 
bought it (and the price has dropped sig- 
nificantly, naturally). The key to the G4, or 
any other notebook you consider, is to pick 
one with Linux-supported hardware. Most 
notebooks come with either an NVIDIA display 
or ATI. The G4 A78 has an NVIDIA display 
driver, and I've always had good luck with 


NVIDIA, so that was a driving factor in 


choosing this notebook. It also has an Intel 
M-PCI PRO Wireless Chip, which works out 


of the box even with distributions like 


Kubuntu. The only manual work | had to 
do to make it work was add a line to my 
configuration file to specify my WEP security 
code. All in all, | installed and configured 


Kubuntu on this notebook faster than | 


was able to get the pre-installed Windows 
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XP to work properly. The Windows wireless 
driver couldn't connect to my network 
unless | advertised the network name 
(SSID). It didn’t matter that | typed in the 
SSID manually. Linux had no such trouble. 

The bottom line is that the Mayhem G4 
A78 is a great performer and very Linux- 
friendly. The problem is that the latest 
Mayhem notebooks have slightly different 
hardware. ABS is going with the Intel 
WM3B2915ABGNAX Mini PCI Wireless 
Adapter now (can they add any more letters 
to that item number?). I’m not at all confi- 
dent that most Linux distributions will work 
with this chip out of the box, but then | 
haven't tried it. 

Here are some postscripts about the 
Do-It-Yourself Ultimate Linux Box. We 
offered some advice on how you can get a 
little wiggle room on price, but you might 
benefit from some common-sense tips on 
what not to do. One of the biggest mis- 
takes you can make is to opt to go with a 
dual-card NVIDIA SLI configuration without 
getting any real benefit for the price. For 
example, don’t compromise big on the 
price of your processor in order to invest in 
a dual-card NVIDIA SLI configuration. If you 
don’t have enough CPU power, you won't 
get what you want from the display cards. 
Likewise, there’s no point in doing SLI if 
you're going to connect it to a monitor 
that can do only a 1024x768 resolution. 
With a monitor like that, you probably 
won't see any improvement in performance 
or quality compared to a single card. 

Oh, and here's something you need to 
know. You can’t use dual monitors and SLI 
mode at the same time. You can switch 
between dual monitors and SLI mode with- 
out making any hardware configuration 
changes, but you can't have your SLI cake 
and eat your dual monitors too (whatever 
that means). 

Here’s a do-as-we-say-not-as-we-did tip. 
If you are a do-it-yourself type, you probably 


have several computers and play the hand- 
me-down game. When you upgrade your 
own video card, you hand down your existing 
card to the computer your kids use (or vice 
versa, if they get the premium stuff, first). 

If you are going to hand down your CPU, 
be very careful when removing the CPU from 
one motherboard to transfer it to another. 
We transferred a CPU several times in order 
to test the various motherboards, and there 
was one time when it stuck to and popped 
out while removing the heat sink. 

Here is where I'll personally take the 
blame and switch from the editorial we to |. 
| bent a few pins while prying the CPU loose 
from the heat sink. Try as | may, all my efforts 
to get the pins back into position just made 
things worse. | was never able to re-insert 
that CPU into a socket. Dual-core AMD64 
CPUs don’t come cheap, so that was a 
painful lesson to learn, more painful than 
leaving a piece of my thumb in the CPU fan 
on the Aberdeen server. 

| guess the lesson here is that if you are 
as clumsy as | am, get someone else to do 
the tricky work for you. 

Finally, we made mention of a number 
of benchmarks that weren't fit for publish- 
ing because they didn’t provide useful 
information. In one case, we're referring 
to a benchmark called 3DMark 06. The 
numbers didn’t add anything to what we'd 
already found, and we couldn’t publish the 
results anyway, because our copy of the 
benchmark is not for commercial use. But 
if you dual-boot Windows, | recommend 
you have a look at this benchmark for 
yourself. You can download a copy from 
www.guru3d.com. If your hardware is 
good enough to render the tests well, you'll 
be blown away by the test scenes.m™ 


Nicholas Petreley is Editor in Chief of Linux Journal and a former 
programmer, teacher, analyst and consultant who has been 
working with and writing about Linux for more than ten years. 
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requirements, thereby providing the best performance per watt. Constructed with stainless steel, QuadPuter’s RuggedRack™ 
architecture is designed to keep the processors and memory running cool and efficiently. Hard drives are cooled with external air 
and are front-mounted along with the power supply for easy access and removal. The RuggedRack™ with an 8-way motherboard, 

8 drives, and up to 128 GB of memory is an excellent platform for power- and 
memory-hungry SMP applications. 


Call us first at 508-746-7341 for quotes 
on clusters and storage solutions. 
Find testimonials and a list of satisfied 
customers at microway.com. 


<4 QuadPutere Navion™ with hot swap, redundant power and hard drives and four | 
or eight dual core Opterons, offering the perfect balance between performance 


; and density 


